Summary:


NtCreateMutant(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtFlushInstructionCache(>)  18 

NtFsControlFile(>)  1 
NtOpenEvent(>)  2 
NtQueryInformationToken(>)  5 
NtRegisterThreadTerminatePort(>)  19 

NtGdiCreateBitmap(>)  1 
NtOpenProcessToken(>)  2 
NtDuplicateObject(>)  6 
NtTestAlert(>)  19 

NtGdiInit(>)  1 
NtOpenProcessTokenEx(>)  2 
NtOpenFile(>)  6 
NtResumeThread(>)  20 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenThreadTokenEx(>)  2 
NtQueryAttributesFile(>)  6 
NtFreeVirtualMemory(>)  24 

NtGdiSelectBitmap(>)  1 
NtQueryDefaultLocale(>)  2 
NtQueryVirtualMemory(>)  7 
NtContinue(>)  26 

NtOpenKeyedEvent(>)  1 
NtQuerySection(>)  2 
NtQueryInformationProcess(>)  8 
NtSetEvent(>)  27 

NtOpenMutant(>)  1 
NtRaiseException(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtOpenKey(>)  29 

NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  2 
NtCreateFile(>)  10 
NtSetInformationThread(>)  29 

NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtSetValueKey(>)  10 
NtCreateEvent(>)  31 

NtQuerySymbolicLinkObject(>)  1 
NtUnmapViewOfSection(>)  2 
NtCreateKey(>)  11 
NtWaitForSingleObject(>)  36 

NtQuerySystemTime(>)  1 
NtCallbackReturn(>)  3 
NtOpenProcess(>)  11 
NtReadVirtualMemory(>)  37 

NtSecureConnectPort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryValueKey(>)  13 
NtQueryInformationThread(>)  40 

NtSetInformationProcess(>)  1 
NtReleaseMutant(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtProtectVirtualMemory(>)  61 

NtSetSecurityObject(>)  1 
NtUserBuildHwndList(>)  3 
NtMapViewOfSection(>)  15 
NtRequestWaitReplyPort(>)  61 

NtUserCallNoParam(>)  1 
NtUserCallOneParam(>)  3 
NtTerminateThread(>)  15 
NtAllocateVirtualMemory(>)  63 

NtUserGetThreadDesktop(>)  1 
NtUserGetThreadState(>)  3 
NtDeviceIoControlFile(>)  16 
NtQuerySystemInformation(>)  91 

NtWaitForMultipleObjects(>)  1 
NtCreateSection(>)  4 
NtOpenSection(>)  16 
NtClose(>)  122 

NtConnectPort(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtWriteFile(>)  16 
NtUserValidateHandleSecure(>)  137 

NtGdiCreateSolidBrush(>)  2 
NtUserFindWindowEx(>)  4 
NtCreateThread(>)  18 
NtUserQueryWindow(>)  268 


Trace:
 00001  1744   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1744   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 8, ) }, ... 8, ) == 0x0
 00004  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1744   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1744   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1744   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1744   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) }, ... 12, ) == 0x0
 00012  1744   NtOpenSymbolicLinkObject  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) }, ... 16, ) == 0x0
 00013  1744   NtQuerySymbolicLinkObject  (16, ...  (16, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1744   NtClose  (16, ... ) == 0x0
 00015  1744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 16, {status=0x0, info=1}, ) }, 3, 33, ... 16, {status=0x0, info=1}, ) == 0x0
 00016  1744   NtQueryVolumeInformationFile  (16, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "kernel32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00019  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1744   NtClose  (20, ... ) == 0x0
 00021  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1744   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1744   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1744   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 20, ) == 0x0
 00028  1744   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1744   NtClose  (20, ... ) == 0x0
 00030  1744   NtQueryObject  (28, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1744   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1744   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1744   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75470, 0}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1744   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00037  1744   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00039  1744   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1744   NtClose  (20, ... ) == 0x0
 00041  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 20, ) }, ... 20, ) == 0x0
 00042  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1744   NtClose  (20, ... ) == 0x0
 00044  1744   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 20, ) }, ... 20, ) == 0x0
 00046  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1744   NtClose  (20, ... ) == 0x0
 00048  1744   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 20, ) }, ... 20, ) == 0x0
 00049  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1744   NtQuerySection  (20, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1744   NtClose  (20, ... ) == 0x0
 00052  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 20, ) }, ... 20, ) == 0x0
 00053  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1744   NtClose  (20, ... ) == 0x0
 00055  1744   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1744   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1744   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1736, 1744, 75471, 0}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75472, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1744   NtWaitForMultipleObjects  (2, (20, 32, ), 1, 0, 0x0, ... ) == 0x0
 00062  1744   NtClose  (20, ... ) == 0x0
 00063  1744   NtClose  (32, ... ) == 0x0
 00064  1744   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1744, 75473, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 1744, 75473, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1744, 75473, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00065  1744   NtProtectVirtualMemory  (-1, (0x401000), 16384, 4, ... (0x401000), 16384, 128, ) == 0x0
 00066  1744   NtProtectVirtualMemory  (-1, (0x401000), 16384, 128, ... (0x401000), 16384, 4, ) == 0x0
 00067  1744   NtFlushInstructionCache  (-1, 4198400, 16384, ... ) == 0x0
 00068  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "MSVCRT.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00069  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00070  1744   NtClose  (32, ... ) == 0x0
 00071  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00072  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00073  1744   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00074  1744   NtProtectVirtualMemory  (-1, (0x401000), 16384, 4, ... (0x401000), 16384, 64, ) == 0x0
 00075  1744   NtProtectVirtualMemory  (-1, (0x401000), 16384, 64, ... (0x401000), 16384, 4, ) == 0x0
 00076  1744   NtFlushInstructionCache  (-1, 4198400, 16384, ... ) == 0x0
 00077  1744   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00078  1744   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00079  1744   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00080  1744   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00081  1744   NtClose  (32, ... ) == 0x0
 00082  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00083  1744   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084  1744   NtClose  (32, ... ) == 0x0
 00085  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00087  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00088  1744   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00089  1744   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00090  1744   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00091  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1323168}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1323168} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0:\0\3\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75474, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0:\0\3\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75474, 0}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1323168} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0:\0\3\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75474, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0:\0\3\0\0\0" )  ) == 0x0
 00092  1744   NtQueryVolumeInformationFile  (4, 1243360, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00093  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\200\310\227|\234\367\22\0\1\0\0\0\1\0:\0\13\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75475, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0:\0\13\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75475, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\200\310\227|\234\367\22\0\1\0\0\0\1\0:\0\13\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75475, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0:\0\13\0\0\0" )  ) == 0x0
 00094  1744   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00095  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00096  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00097  1744   NtClose  (32, ... ) == 0x0
 00098  1744   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00099  1744   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00100  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00101  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00102  1744   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00103  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105  1744   NtQueryVirtualMemory  (-1, 0x408717, Basic, 28, ... {BaseAddress=0x408000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x2000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00106  1744   NtProtectVirtualMemory  (-1, (0x4001d0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00107  1744   NtProtectVirtualMemory  (-1, (0x4001d0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00108  1744   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00109  1744   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00110  1744   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00111  1744   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00112  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00113  1744   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114  1744   NtClose  (32, ... ) == 0x0
 00115  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00116  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00117  1744   NtClose  (32, ... ) == 0x0
 00118  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00119  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00120  1744   NtClose  (32, ... ) == 0x0
 00121  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00122  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00123  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00124  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00125  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00126  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00127  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00128  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00129  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00130  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00131  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00132  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00133  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00134  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00135  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00136  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00137  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00138  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00139  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00142  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1240040}  (28, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1240040} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75476, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75476, 0}  (28, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1240040} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75476, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00143  1744   NtFsControlFile  (16, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00144  1744   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00145  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1237432, ... ) }, 1237432, ... ) == 0x0
 00146  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00147  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 20, ) == 0x0
 00148  1744   NtClose  (32, ... ) == 0x0
 00149  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00150  1744   NtClose  (20, ... ) == 0x0
 00151  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00152  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1237340, ... ) }, 1237340, ... ) == 0x0
 00153  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00154  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 20, ... 32, ) == 0x0
 00155  1744   NtClose  (20, ... ) == 0x0
 00156  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00157  1744   NtClose  (32, ... ) == 0x0
 00158  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00159  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1237648, ... ) }, 1237648, ... ) == 0x0
 00160  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00161  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00162  1744   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00163  1744   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00164  1744   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00165  1744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00167  1744   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00168  1744   NtClose  (48, ... ) == 0x0
 00169  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00170  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00171  1744   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00172  1744   NtClose  (48, ... ) == 0x0
 00173  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174  1744   NtClose  (44, ... ) == 0x0
 00175  1744   NtClose  (32, ... ) == 0x0
 00176  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00177  1744   NtClose  (20, ... ) == 0x0
 00178  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00179  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00180  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00181  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00182  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00183  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00184  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00185  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00186  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00187  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ADVAPI32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00188  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00189  1744   NtClose  (20, ... ) == 0x0
 00190  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00191  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00192  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00193  1744   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "RPCRT4.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00194  1744   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00195  1744   NtClose  (20, ... ) == 0x0
 00196  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00197  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00198  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00199  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00200  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00201  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00202  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00203  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00204  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00205  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00206  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00207  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00208  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1744   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00210  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00212  1744   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00213  1744   NtQueryValueKey  (20,  (20, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00214  1744   NtClose  (20, ... ) == 0x0
 00215  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 20, ) }, ... 20, ) == 0x0
 00216  1744   NtQueryValueKey  (20,  (20, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217  1744   NtClose  (20, ... ) == 0x0
 00218  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 20, ) }, ... 20, ) == 0x0
 00219  1744   NtSetInformationObject  (20, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00220  1744   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00223  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1234564, ... ) }, 1234564, ... ) == 0x0
 00224  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1237968, ... ) }, 1237968, ... ) == 0x0
 00225  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00227  1744   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228  1744   NtClose  (32, ... ) == 0x0
 00229  1744   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00230  1744   NtClose  (-2147482576, ... ) == 0x0
 00231  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00232  1744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00233  1744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00234  1744   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00235  1744   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00236  1744   NtClose  (-2147482576, ... ) == 0x0
 00237  1744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00238  1744   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00239  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00240  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241  1744   NtClose  (-2147482576, ... ) == 0x0
 00242  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00243  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244  1744   NtClose  (-2147482576, ... ) == 0x0
 00245  1744   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00246  1744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00247  1744   NtUserCallNoParam  (24, ... ) == 0x0
 00248  1744   NtGdiCreateCompatibleDC  (0, ...
 00249  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00248  1744   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00250  1744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00251  1744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00252  1744   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00253  1744   NtGdiCreateSolidBrush  (0, 0, ...
 00254  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00253  1744   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00255  1744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00256  1744   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00257  1744   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00258  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x30
 00259  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00260  1744   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00261  1744   NtClose  (52, ... ) == 0x0
 00262  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00263  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 673, 128, 0, ... ) == 0x8172c017
 00264  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00265  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 674, 128, 0, ... ) == 0x8172c01c
 00266  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00267  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 675, 128, 0, ... ) == 0x8172c01e
 00268  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00269  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 676, 128, 0, ... ) == 0x81728002
 00270  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10013
 00271  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 677, 128, 0, ... ) == 0x8172c018
 00272  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00273  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 678, 128, 0, ... ) == 0x8172c01a
 00274  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00275  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 679, 128, 0, ... ) == 0x8172c01d
 00276  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00277  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 681, 128, 0, ... ) == 0x8172c026
 00278  1744   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239208, ... ) == 0x10011
 00279  1744   NtUserRegisterClassExWOW  (1239156, 1239224, 1239240, 1239256, 680, 128, 0, ... ) == 0x8172c019
 00280  1744   NtUserRegisterClassExWOW  (1239108, 1239176, 1239192, 1239208, 0, 128, 0, ... ) == 0x8172c020
 00281  1744   NtUserRegisterClassExWOW  (1239364, 1239460, 1239444, 1239432, 0, 130, 0, ... ) == 0x8172c022
 00282  1744   NtUserRegisterClassExWOW  (1239108, 1239176, 1239192, 1239208, 0, 128, 0, ... ) == 0x8172c023
 00283  1744   NtUserRegisterClassExWOW  (1239364, 1239460, 1239444, 1239432, 0, 130, 0, ... ) == 0x8172c024
 00284  1744   NtUserRegisterClassExWOW  (1239108, 1239176, 1239192, 1239208, 0, 128, 0, ... ) == 0x8172c025
 00285  1744   NtCallbackReturn  (0, 0, 0, ...
 00286  1744   NtGdiInit  (... ) == 0x1
 00287  1744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00288  1744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00289  1744   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00290  1744   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291  1744   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x1a00f4, 0x5009e, 0x400fa, 0x10074, 0x10070, 0x10080, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x1401b6, 0xc01d2, 0xd0102, 0x500a2, 0xd011a, 0x10090, 0x100d0, 0x200b0, 0x100cc, 0x13010c, 0x16012c, 0x7015a, 0xd01c8, 0xe01ac, 0xc01d0, 0xa01cc, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 61, ) == 0x0
 00292  1744   NtUserValidateHandleSecure  (1704180, ... ) == 0x1
 00293  1744   NtUserQueryWindow  (1704180, 0, ... ) == 0x6b8
 00294  1744   NtUserQueryWindow  (1704180, 1, ... ) == 0x6d4
 00295  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 52, ) == 0x0
 00296  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0", 64, ) , 64, ) == 0x0
 00297  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00298  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00299  1744   NtClose  (52, ... ) == 0x0
 00300  1744   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 00301  1744   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 00302  1744   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 00303  1744   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 00304  1744   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 00305  1744   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 00306  1744   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 00307  1744   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 00308  1744   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 00309  1744   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 00310  1744   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 00311  1744   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 00312  1744   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 00313  1744   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 00314  1744   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 00315  1744   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 00316  1744   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 00317  1744   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 00318  1744   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 00319  1744   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 00320  1744   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 00321  1744   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 00322  1744   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 00323  1744   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 00324  1744   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 00325  1744   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 00326  1744   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 00327  1744   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 00328  1744   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 00329  1744   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 00330  1744   NtUserValidateHandleSecure  (1311158, ... ) == 0x1
 00331  1744   NtUserQueryWindow  (1311158, 0, ... ) == 0x6b8
 00332  1744   NtUserQueryWindow  (1311158, 1, ... ) == 0x6d4
 00333  1744   NtUserValidateHandleSecure  (786898, ... ) == 0x1
 00334  1744   NtUserQueryWindow  (786898, 0, ... ) == 0x6b8
 00335  1744   NtUserQueryWindow  (786898, 1, ... ) == 0x6d4
 00336  1744   NtUserValidateHandleSecure  (852226, ... ) == 0x1
 00337  1744   NtUserQueryWindow  (852226, 0, ... ) == 0x6b8
 00338  1744   NtUserQueryWindow  (852226, 1, ... ) == 0x6d4
 00339  1744   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 00340  1744   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 00341  1744   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 00342  1744   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00343  1744   NtUserQueryWindow  (852250, 0, ... ) == 0x6b8
 00344  1744   NtUserQueryWindow  (852250, 1, ... ) == 0x6d4
 00345  1744   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 00346  1744   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 00347  1744   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 00348  1744   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 00349  1744   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 00350  1744   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 00351  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 52, ) == 0x0
 00352  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00353  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00354  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00355  1744   NtClose  (52, ... ) == 0x0
 00356  1744   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 00357  1744   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 00358  1744   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 00359  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 52, ) == 0x0
 00360  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0", 64, ) , 64, ) == 0x0
 00361  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00362  1744   NtContinue  (-139350732, 0, ...
 00361  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00363  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00364  1744   NtContinue  (-139350732, 0, ...
 00363  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00365  1744   NtClose  (52, ... ) == 0x0
 00366  1744   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 00367  1744   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 00368  1744   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 00369  1744   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 00370  1744   NtUserQueryWindow  (1245452, 0, ... ) == 0x5e8
 00371  1744   NtUserQueryWindow  (1245452, 1, ... ) == 0x534
 00372  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 52, ) == 0x0
 00373  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0", 64, ) , 64, ) == 0x0
 00374  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00375  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00376  1744   NtClose  (52, ... ) == 0x0
 00377  1744   NtUserValidateHandleSecure  (1442092, ... ) == 0x1
 00378  1744   NtUserQueryWindow  (1442092, 0, ... ) == 0xa4
 00379  1744   NtUserQueryWindow  (1442092, 1, ... ) == 0x61c
 00380  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {164, 0}, ... 52, ) == 0x0
 00381  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00382  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00383  1744   NtContinue  (-139350732, 0, ...
 00382  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00384  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00385  1744   NtContinue  (-139350732, 0, ...
 00384  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00386  1744   NtClose  (52, ... ) == 0x0
 00387  1744   NtUserValidateHandleSecure  (459098, ... ) == 0x1
 00388  1744   NtUserQueryWindow  (459098, 0, ... ) == 0x4b0
 00389  1744   NtUserQueryWindow  (459098, 1, ... ) == 0x780
 00390  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1200, 0}, ... 52, ) == 0x0
 00391  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...
 00392  1744   NtContinue  (-139350732, 0, ...
 00391  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00393  1744   NtClose  (52, ... ) == 0x0
 00394  1744   NtUserValidateHandleSecure  (852424, ... ) == 0x1
 00395  1744   NtUserQueryWindow  (852424, 0, ... ) == 0x6b8
 00396  1744   NtUserQueryWindow  (852424, 1, ... ) == 0x6d4
 00397  1744   NtUserValidateHandleSecure  (917932, ... ) == 0x1
 00398  1744   NtUserQueryWindow  (917932, 0, ... ) == 0x6b8
 00399  1744   NtUserQueryWindow  (917932, 1, ... ) == 0x6d4
 00400  1744   NtUserValidateHandleSecure  (786896, ... ) == 0x1
 00401  1744   NtUserQueryWindow  (786896, 0, ... ) == 0x6b8
 00402  1744   NtUserQueryWindow  (786896, 1, ... ) == 0x6d4
 00403  1744   NtUserValidateHandleSecure  (655820, ... ) == 0x1
 00404  1744   NtUserQueryWindow  (655820, 0, ... ) == 0x6b8
 00405  1744   NtUserQueryWindow  (655820, 1, ... ) == 0x6d4
 00406  1744   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 00407  1744   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 00408  1744   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 00409  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 52, ) == 0x0
 00410  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00411  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "ient", 4, ) , 4, ) == 0x0
 00412  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\15\0\37\0\0\1\14\0P\220g\274\212\301\212\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\202\1\0\0\0\0\0\0\0\0\0\0\0\0\260\221g\274\0\0\0\0\0\0\0\0\10(\0\0H/\20@\0\0\0\0\0\0\0\0\0\0\13@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\222g\274\0\0\0\0$\0\0\0!\1,\0\0\0\17\0\330:e\2748\203g\274Form\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0\14\0\34\1\5\0\0\0\14\0@Sf\274`^g\274\260[\263\341\0\0\0\0@\222g\274\10\0\6\240\200\3\0\200\1\1\0\0\0\0\310\206\0\0\13@\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\1\0\0~\1\0\0\7\3\0\0\1\2\0\0\374\1\0\0\233\1\0\0\4\3\0\0\376\1\0\0", 256, ) , 256, ) == 0x0
 00413  1744   NtClose  (52, ... ) == 0x0
 00414  1744   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 00415  1744   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 00416  1744   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 00417  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 52, ) == 0x0
 00418  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0", 64, ) , 64, ) == 0x0
 00419  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00420  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00421  1744   NtClose  (52, ... ) == 0x0
 00422  1744   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 00423  1744   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 00424  1744   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 00425  1744   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 00426  1744   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 00427  1744   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 00428  1744   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 00429  1744   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 00430  1744   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 00431  1744   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 00432  1744   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 00433  1744   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 00434  1744   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 00435  1744   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 00436  1744   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 00437  1744   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 00438  1744   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 00439  1744   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 00440  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 52, ) == 0x0
 00441  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...
 00442  1744   NtContinue  (-139350732, 0, ...
 00441  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00443  1744   NtClose  (52, ... ) == 0x0
 00444  1744   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 00445  1744   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 00446  1744   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 00447  1744   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 00448  1744   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 00449  1744   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 00450  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 52, ) == 0x0
 00451  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00452  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00453  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00454  1744   NtClose  (52, ... ) == 0x0
 00455  1744   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 00456  1744   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 00457  1744   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 00458  1744   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 52, ) == 0x0
 00459  1744   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0", 64, ) , 64, ) == 0x0
 00460  1744   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00461  1744   NtContinue  (-139350732, 0, ...
 00460  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00462  1744   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00463  1744   NtContinue  (-139350732, 0, ...
 00462  1744   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00464  1744   NtClose  (52, ... ) == 0x0
 00465  1744   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 00466  1744   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 00467  1744   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 00468  1744   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 00469  1744   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 00470  1744   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 00471  1744   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 00472  1744   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 00473  1744   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 00474  1744   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 00475  1744   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 00476  1744   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 00477  1744   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 00478  1744   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 00479  1744   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 00480  1744   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 00481  1744   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 00482  1744   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 00483  1744   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 00484  1744   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 00485  1744   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 00486  1744   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 00487  1744   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 00488  1744   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 00489  1744   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 00490  1744   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 00491  1744   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 00492  1744   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 00493  1744   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 00494  1744   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 00495  1744   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 00496  1744   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 00497  1744   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 00498  1744   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 00499  1744   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 00500  1744   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 00501  1744   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 00502  1744   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 00503  1744   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 00504  1744   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 00505  1744   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 00506  1744   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 00507  1744   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 00508  1744   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 00509  1744   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 00510  1744   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 00511  1744   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 00512  1744   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 00513  1744   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 00514  1744   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 00515  1744   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 00516  1744   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 00517  1744   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 00518  1744   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 00519  1744   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 00520  1744   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 00521  1744   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 00522  1744   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 00523  1744   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 00524  1744   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 00525  1744   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 00526  1744   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 00527  1744   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 00528  1744   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 00529  1744   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 00530  1744   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 00531  1744   NtRaiseException  (1242672, 1241932, 1, ...
 00532  1744   NtQueryVirtualMemory  (-1, 0x7c85a0a0, Basic, 28, ... {BaseAddress=0x7c85a000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x2a000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533  1744   NtContinue  (1240892, 0, ...
 00534  1744   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00535  1744   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  1744   NtCreateMutant  (0x1f0001, {24, 52, 0x82, 1242692, 0,  (0x1f0001, {24, 52, 0x82, 1242692, 0, "DBWinMutex"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00537  1744   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00538  1744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539  1744   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00540  1744   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 60, ) }, ... 60, ) == 0x0
 00541  1744   NtWaitForSingleObject  (60, 0, {-1800000000, -1}, ... ) == 0x0
 00542  1744   NtClose  (60, ... ) == 0x0
 00543  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00544  1744   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545  1744   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 60, ) }, ... 60, ) == 0x0
 00546  1744   NtQueryValueKey  (60,  (60, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547  1744   NtClose  (60, ... ) == 0x0
 00548  1744   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549  1744   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00550  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00551  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 64, ) == 0x0
 00552  1744   NtQuerySystemTime  (... {157495766, 29924679}, ) == 0x0
 00553  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00554  1744   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00556  1744   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00557  1744   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00558  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00559  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00560  1744   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00561  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 80, {status=0x0, info=0}, ) }, 7, 16, ... 80, {status=0x0, info=0}, ) == 0x0
 00562  1744   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312\4\224\334\261\217\207)\220\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00563  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00564  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00565  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00566  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00567  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00568  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00569  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00570  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00571  1744   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\302\316,\21\201=\336$x`\5\360\335i{\320\306\270\256(9\373\370\2\324b&i=>N\316\332]\202\32\302o\363\3\355\177\215\250\37i\230\221\362_\203\204\31\317e\235R\365w\342X\366\306J\234\267\373\365\360pW{\205x\256\360\11\360\271\375", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\302\316,\21\201=\336$x`\5\360\335i{\320\306\270\256(9\373\370\2\324b&i=>N\316\332]\202\32\302o\363\3\355\177\215\250\37i\230\221\362_\203\204\31\317e\235R\365w\342X\366\306J\234\267\373\365\360pW{\205x\256\360\11\360\271\375", 80, ... ) , 80, ... ) == 0x0
 00572  1744   NtClose  (-2147482576, ... ) == 0x0
 00562  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "!\213S\250\342|\263\325\6\340\264E\205>\340"3\305\322t@"w\244\353\234\247;\311\371\271\271d[\261\3777'x\366\372ph\231\11\13\344\274\301!\345f\205\234l\13\367\366\331\332\231\234'\1777\371\267W\232\247\247(\2026\374h \356{a\12\27L\1\2030I\35\204\27ld\243\336qFh,/K\3514\323\222k\11\Q7P\311\265\233\320\34N.\240\203\277\20\213X\316\302\367\356\310\12\350\252\207\220\260w\250\372\235\1209?\16\241\377f\20\323\313\12`\34\232\277\215D\2759\342\210\317\233;)14\364\316\260\307\331\243\305H\27v\234\3317\351W2\245\264\222\12\250\337\326\37128\342\26\177\211DT\345\253\211\372f<8T\10,89{A\322J\277\3409\261\247a\224)\216@\375a\237\330\253\330a\20\264k\210\234\220\244\342\230%+\14\3H|\351\343p+\304\365\202\301\324\34", ) 3\305\322t@ ... {status=0x0, info=256}, "!\213S\250\342|\263\325\6\340\264E\205>\340"3\305\322t@"w\244\353\234\247;\311\371\271\271d[\261\3777'x\366\372ph\231\11\13\344\274\301!\345f\205\234l\13\367\366\331\332\231\234'\1777\371\267W\232\247\247(\2026\374h \356{a\12\27L\1\2030I\35\204\27ld\243\336qFh,/K\3514\323\222k\11\Q7P\311\265\233\320\34N.\240\203\277\20\213X\316\302\367\356\310\12\350\252\207\220\260w\250\372\235\1209?\16\241\377f\20\323\313\12`\34\232\277\215D\2759\342\210\317\233;)14\364\316\260\307\331\243\305H\27v\234\3317\351W2\245\264\222\12\250\337\326\37128\342\26\177\211DT\345\253\211\372f<8T\10,89{A\322J\277\3409\261\247a\224)\216@\375a\237\330\253\330a\20\264k\210\234\220\244\342\230%+\14\3H|\351\343p+\304\365\202\301\324\34", ) , ) == 0x0
 00573  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00574  1744   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1241804, 188, ... 88, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241804, 188, ... 88, 0x0, 0x0, 0x0, 188, ) == 0x0
 00575  1744   NtRequestWaitReplyPort  (88, {200, 224, new_msg, 0, 1333512, 12, 2, 1310977}  (88, {200, 224, new_msg, 0, 1333512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20g\24\0\4\0\0\0hh\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\1\0\0\0\242f\322\216\357\22'``h\24\0h\1\24\0\12\0\0\0\0\0\0\0`h\24\0(\0\0\0hh\24\0\276\37\346Vx\1\24\0(\0\0\0\226\232\0\0\0\0\24\0(\361\22\0\364\0\0\0\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0L\361\22\0\372\31\221|\340\370\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1736, 1744, 75485, 0} "\7\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0hh\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\1\0\0\0\242f\322\216\357\22'``h\24\0h\1\24\0\12\0\0\0\0\0\0\0`h\24\0(\0\0\0hh\24\0\276\37\346Vx\1\24\0(\0\0\0\226\232\0\0\0\0\24\0(\361\22\0\364\0\0\0\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0L\361\22\0\372\31\221|\340\370\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1736, 1744, 75485, 0}  (88, {200, 224, new_msg, 0, 1333512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20g\24\0\4\0\0\0hh\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\1\0\0\0\242f\322\216\357\22'``h\24\0h\1\24\0\12\0\0\0\0\0\0\0`h\24\0(\0\0\0hh\24\0\276\37\346Vx\1\24\0(\0\0\0\226\232\0\0\0\0\24\0(\361\22\0\364\0\0\0\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0L\361\22\0\372\31\221|\340\370\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1736, 1744, 75485, 0} "\7\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0hh\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\1\0\0\0\242f\322\216\357\22'``h\24\0h\1\24\0\12\0\0\0\0\0\0\0`h\24\0(\0\0\0hh\24\0\276\37\346Vx\1\24\0(\0\0\0\226\232\0\0\0\0\24\0(\361\22\0\364\0\0\0\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0L\361\22\0\372\31\221|\340\370\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00576  1744   NtRequestWaitReplyPort  (88, {48, 72, new_msg, 0, 0, 0, 0, 0}  (88, {48, 72, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75486, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75486, 0}  (88, {48, 72, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75486, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 00577  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243344,  (0x80100080, {24, 0, 0x40, 0, 1243344, "\??\OLLYBONE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578  1744   NtRequestWaitReplyPort  (88, {100, 124, new_msg, 0, 1736, 1744, 75486, 0}  (88, {100, 124, new_msg, 0, 1736, 1744, 75486, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\11\0\0\0\0\0\0\0\11\0\0\0OLLYBONE\0\0\0\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75487, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75487, 0}  (88, {100, 124, new_msg, 0, 1736, 1744, 75486, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\11\0\0\0\0\0\0\0\11\0\0\0OLLYBONE\0\0\0\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75487, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ) == 0x0
 00579  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243344,  (0x80100080, {24, 0, 0x40, 0, 1243344, "\??\FRDTSC"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580  1744   NtRequestWaitReplyPort  (88, {96, 120, new_msg, 0, 1736, 1744, 75487, 0}  (88, {96, 120, new_msg, 0, 1736, 1744, 75487, 0} "\1\314\0\0A\2\34\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\7\0\0\0\0\0\0\0\7\0\0\0FRDTSC\0\0\4\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75488, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75488, 0}  (88, {96, 120, new_msg, 0, 1736, 1744, 75487, 0} "\1\314\0\0A\2\34\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\7\0\0\0\0\0\0\0\7\0\0\0FRDTSC\0\0\4\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75488, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 00581  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243344,  (0x80100080, {24, 0, 0x40, 0, 1243344, "\??\FRDTSC0"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582  1744   NtRequestWaitReplyPort  (88, {96, 120, new_msg, 0, 1736, 1744, 75488, 0}  (88, {96, 120, new_msg, 0, 1736, 1744, 75488, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\10\0\0\0\0\0\0\0\10\0\0\0FRDTSC0\0\4\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75489, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75489, 0}  (88, {96, 120, new_msg, 0, 1736, 1744, 75488, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\10\0\0\0\0\0\0\0\10\0\0\0FRDTSC0\0\4\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75489, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 00583  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243344,  (0x80100080, {24, 0, 0x40, 0, 1243344, "\??\EXTREMEHIDE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584  1744   NtRequestWaitReplyPort  (88, {100, 124, new_msg, 0, 1736, 1744, 75489, 0}  (88, {100, 124, new_msg, 0, 1736, 1744, 75489, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\14\0\0\0\0\0\0\0\14\0\0\0EXTREMEHIDE\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75490, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75490, 0}  (88, {100, 124, new_msg, 0, 1736, 1744, 75489, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:\14\0\0\0\0\0\0\0\14\0\0\0EXTREMEHIDE\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75490, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ) == 0x0
 00585  1744   NtRequestWaitReplyPort  (88, {88, 112, new_msg, 0, 1736, 1744, 75490, 0}  (88, {88, 112, new_msg, 0, 1736, 1744, 75490, 0} "\1\314\0\0A\2\0\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75491, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1736, 1744, 75491, 0}  (88, {88, 112, new_msg, 0, 1736, 1744, 75490, 0} "\1\314\0\0A\2\0\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\230\\320\300\206n\240K\233w\232\255W\377\235:$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 1744, 75491, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 00586  1744   NtClose  (84, ... ) == 0x0
 00587  1744   NtClose  (88, ... ) == 0x0
 00588  1744   NtDuplicateObject  (-1, 2557, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00589  1744   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00590  1744   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00591  1744   NtTestAlert  (... ) == 0x0
 00592  1744   NtContinue  (1244464, 1, ...
 00593  1744   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x407677,}, 4, ... ) == 0x0
 00594  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00595  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 00596  1744   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 00597  1744   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 00598  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 868}, ) == 0x0
 00599  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=868,}, 0x0, ) == 0x0
 00600  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, -2141992408, 1, -2146435072, -139281332}  (28, {28, 56, new_msg, 0, -2141992408, 1, -2146435072, -139281332} "\0\0\0\0\1\0\1\0 \0\0\0\200\274\262\367T\0\0\0\310\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75493, 0}  (28, {28, 56, new_msg, 0, -2141992408, 1, -2146435072, -139281332} "\0\0\0\0\1\0\1\0 \0\0\0\200\274\262\367T\0\0\0\310\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0d\3\0\0" )  ) == 0x0
 00601  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00602  1744   NtClose  (84, ... ) == 0x0
 00603  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00604   868   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 868, 75494, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 868, 75494, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 868, 75494, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00605   868   NtTestAlert  (... ) == 0x0
 00606   868   NtContinue  (10485040, 1, ...
 00607   868   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00608   868   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00609   868   NtSetEvent  (88, ...
 00603  1744   NtWaitForSingleObject  ... ) == 0x0
 00610  1744   NtClose  (88, ... ) == 0x0
 00611  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00612  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10485760, 1048576, ) == 0x0
 00613  1744   NtAllocateVirtualMemory  (-1, 11526144, 0, 8192, 4096, 4, ... 11526144, 8192, ) == 0x0
 00614  1744   NtProtectVirtualMemory  (-1, (0xafe000), 4096, 260, ... (0xafe000), 4096, 4, ) == 0x0
 00615  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 808}, ) == 0x0
 00616  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1736,Tid=808,}, 0x0, ) == 0x0
 00617  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75493, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75495, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0(\3\0\0" )  ) == 0x0
 00618  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00619  1744   NtClose  (84, ... ) == 0x0
 00620  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00621   808   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 808, 75496, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 808, 75496, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 808, 75496, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00622   808   NtTestAlert  (... ) == 0x0
 00623   808   NtContinue  (11533616, 1, ...
 00624   808   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00625   808   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00609   868   NtSetEvent  ... 0x0, ) == 0x0
 00626   868   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00627   868   NtTerminateThread  (0, 0, ...
 00625   808   NtSetInformationThread  ... ) == 0x0
 00628   808   NtSetEvent  (88, ...
 00620  1744   NtWaitForSingleObject  ... ) == 0x0
 00629  1744   NtClose  (88, ... ) == 0x0
 00630  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00631  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 00632  1744   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00633  1744   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00634  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 2020}, ) == 0x0
 00635  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=2020,}, 0x0, ) == 0x0
 00636  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75495, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75497, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\7\0\0" )  ) == 0x0
 00637  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00638  1744   NtClose  (84, ... ) == 0x0
 00639  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00640  2020   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2020, 75498, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 2020, 75498, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2020, 75498, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00641  2020   NtTestAlert  (... ) == 0x0
 00642  2020   NtContinue  (12582192, 1, ...
 00643  2020   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00644  2020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00628   808   NtSetEvent  ... 0x0, ) == 0x0
 00645   808   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00646   808   NtTerminateThread  (0, 0, ...
 00647   808   NtFreeVirtualMemory  (-1, (0xa00000), 0, 32768, ... (0xa00000), 1048576, ) == 0x0
 00648   868   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 1048576, ) == 0x0
 00644  2020   NtSetInformationThread  ... ) == 0x0
 00649  2020   NtSetEvent  (88, ...
 00639  1744   NtWaitForSingleObject  ... ) == 0x0
 00650  1744   NtClose  (88, ... ) == 0x0
 00651  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00652  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 00653  1744   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 00654  1744   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 00655  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 896}, ) == 0x0
 00656  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=896,}, 0x0, ) == 0x0
 00657  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75497, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75501, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\200\3\0\0" )  ) == 0x0
 00658  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00659  1744   NtClose  (84, ... ) == 0x0
 00660  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00661   896   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 896, 75502, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 896, 75502, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 896, 75502, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00662   896   NtTestAlert  (... ) == 0x0
 00663   896   NtContinue  (10485040, 1, ...
 00664   896   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00665   896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00649  2020   NtSetEvent  ... 0x0, ) == 0x0
 00665   896   NtSetInformationThread  ... ) == 0x0
 00666   896   NtSetEvent  (88, ...
 00660  1744   NtWaitForSingleObject  ... ) == 0x0
 00667  1744   NtClose  (88, ... ) == 0x0
 00668  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00669  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10485760, 1048576, ) == 0x0
 00670  1744   NtAllocateVirtualMemory  (-1, 11526144, 0, 8192, 4096, 4, ... 11526144, 8192, ) == 0x0
 00671  1744   NtProtectVirtualMemory  (-1, (0xafe000), 4096, 260, ... (0xafe000), 4096, 4, ) == 0x0
 00672  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 1252}, ) == 0x0
 00673  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1736,Tid=1252,}, 0x0, ) == 0x0
 00674  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75501, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75503, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\344\4\0\0" )  ) == 0x0
 00675  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00676  1744   NtClose  (84, ... ) == 0x0
 00677  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00678  1252   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1252, 75504, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 1252, 75504, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1252, 75504, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00679  1252   NtTestAlert  (... ) == 0x0
 00680  1252   NtContinue  (11533616, 1, ...
 00681  1252   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00682  1252   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00666   896   NtSetEvent  ... 0x0, ) == 0x0
 00683   896   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00684   896   NtTerminateThread  (0, 0, ...
 00685  2020   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00682  1252   NtSetInformationThread  ... ) == 0x0
 00685  2020   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00686  1252   NtSetEvent  (88, ...
 00687  2020   NtTerminateThread  (0, 0, ...
 00677  1744   NtWaitForSingleObject  ... ) == 0x0
 00686  1252   NtSetEvent  ... 0x0, ) == 0x0
 00688  1744   NtClose  (88, ...
 00689  2020   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 1048576, ) == 0x0
 00688  1744   NtClose  ... ) == 0x0
 00690  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00691  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 00692  1744   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00693  1744   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00694  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 84, {1736, 2016}, ) == 0x0
 00695  1744   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=2016,}, 0x0, ) == 0x0
 00696  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75503, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75506, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367T\0\0\0\310\6\0\0\340\7\0\0" )  ) == 0x0
 00697  1744   NtResumeThread  (84, ... 1, ) == 0x0
 00698  1744   NtClose  (84, ... ) == 0x0
 00699  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00700  2016   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2016, 75507, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 2016, 75507, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2016, 75507, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00701  2016   NtTestAlert  (... ) == 0x0
 00702  2016   NtContinue  (12582192, 1, ...
 00703  2016   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00704  2016   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00705  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00706  1252   NtCallbackReturn  (0, 0, 0, ...
 00707  1252   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00708  1252   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00709  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00710   896   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ...
 00704  2016   NtSetInformationThread  ... ) == 0x0
 00710   896   NtFreeVirtualMemory  ... (0x900000), 1048576, ) == 0x0
 00711  2016   NtSetEvent  (88, ...
 00699  1744   NtWaitForSingleObject  ... ) == 0x0
 00712  1744   NtClose  (88, ... ) == 0x0
 00713  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00714  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 00715  1744   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 00716  1744   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 00717  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 96, {1736, 2012}, ) == 0x0
 00718  1744   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=2012,}, 0x0, ) == 0x0
 00719  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75506, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75509, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\334\7\0\0" )  ) == 0x0
 00720  1744   NtResumeThread  (96, ... 1, ) == 0x0
 00721  1744   NtClose  (96, ... ) == 0x0
 00722  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00723  2012   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2012, 75510, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 2012, 75510, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 2012, 75510, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00724  2012   NtTestAlert  (... ) == 0x0
 00725  2012   NtContinue  (10485040, 1, ...
 00726  2012   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00727  2012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00711  2016   NtSetEvent  ... 0x0, ) == 0x0
 00728  2016   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00729  2016   NtTerminateThread  (0, 0, ...
 00730  2016   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 1048576, ) == 0x0
 00731  1252   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 00732  1252   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00733  1252   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00727  2012   NtSetInformationThread  ... ) == 0x0
 00734  2012   NtSetEvent  (88, ...
 00722  1744   NtWaitForSingleObject  ... ) == 0x0
 00735  1744   NtClose  (88, ... ) == 0x0
 00736  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00737  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12582912, 1048576, ) == 0x0
 00738  1744   NtAllocateVirtualMemory  (-1, 13623296, 0, 8192, 4096, 4, ... 13623296, 8192, ) == 0x0
 00739  1744   NtProtectVirtualMemory  (-1, (0xcfe000), 4096, 260, ... (0xcfe000), 4096, 4, ) == 0x0
 00740  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 96, {1736, 1028}, ) == 0x0
 00741  1744   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=1028,}, 0x0, ) == 0x0
 00742  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75509, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75512, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367`\0\0\0\310\6\0\0\4\4\0\0" )  ) == 0x0
 00743  1744   NtResumeThread  (96, ... 1, ) == 0x0
 00744  1744   NtClose  (96, ... ) == 0x0
 00745  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00746  1028   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1028, 75513, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 1028, 75513, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1028, 75513, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00747  1028   NtTestAlert  (... ) == 0x0
 00748  1028   NtContinue  (13630768, 1, ...
 00749  1028   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00750  1028   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00734  2012   NtSetEvent  ... 0x0, ) == 0x0
 00751  2012   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 10484644}, ... ) == 0x0
 00752  2012   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00753  2012   NtTerminateThread  (0, 0, ...
 00754  2012   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 1048576, ) == 0x0
 00755  1252   NtCreateThread  (0x1f03ff, 0x0, -1, 11533196, 11533140, 1, ... 96, {1736, 384}, ) == 0x0
 00756  1252   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=384,}, 0x0, ) == 0x0
 00757  1252   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089878589, 0, 0, -2142234563}  (28, {28, 56, new_msg, 0, 2089878589, 0, 0, -2142234563} "\0\0\0\0\1\0\1\0\30\356\220|p\5\221|`\0\0\0\310\6\0\0\200\1\0\0" ...  ...
 00750  1028   NtSetInformationThread  ... ) == 0x0
 00758  1028   NtSetEvent  (88, ...
 00745  1744   NtWaitForSingleObject  ... ) == 0x0
 00759  1744   NtClose  (88, ... ) == 0x0
 00760  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00761  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 00762  1744   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 00763  1744   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 00764  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 100, {1736, 1180}, ) == 0x0
 00765  1744   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1736,Tid=1180,}, 0x0, ) == 0x0
 00766  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75512, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367d\0\0\0\310\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367d\0\0\0\310\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75516, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367d\0\0\0\310\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367d\0\0\0\310\6\0\0\234\4\0\0" )  ) == 0x0
 00767  1744   NtResumeThread  (100, ... 1, ) == 0x0
 00768  1744   NtClose  (100, ... ) == 0x0
 00769  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 00770  1180   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1180, 75517, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 1180, 75517, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 1180, 75517, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00771  1180   NtTestAlert  (... ) == 0x0
 00772  1180   NtContinue  (10485040, 1, ...
 00773  1180   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00774  1180   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00758  1028   NtSetEvent  ... 0x0, ) == 0x0
 00775  1028   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00776  1028   NtTerminateThread  (0, 0, ...
 00757  1252   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1252, 75515, 0}  ... {28, 56, reply, 0, 1736, 1252, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221|`\0\0\0\310\6\0\0\200\1\0\0" )  ) == 0x0
 00774  1180   NtSetInformationThread  ... ) == 0x0
 00777  1252   NtResumeThread  (96, ...
 00778  1180   NtSetEvent  (88, ...
 00779   384   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ...  ...
 00777  1252   NtResumeThread  ... 1, ) == 0x0
 00779   384   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 1736, 384, 75518, 0}  ... {24, 52, reply, 0, 1736, 384, 75518, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00769  1744   NtWaitForSingleObject  ... ) == 0x0
 00778  1180   NtSetEvent  ... 0x0, ) == 0x0
 00780   384   NtTestAlert  (...
 00781  1744   NtClose  (88, ...
 00782  1252   NtClose  (96, ...
 00780   384   NtTestAlert  ... ) == 0x0
 00781  1744   NtClose  ... ) == 0x0
 00783  1180   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00784  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00785   384   NtContinue  (12582192, 1, ...
 00782  1252   NtClose  ... ) == 0x0
 00784  1744   NtCreateEvent  ... 96, ) == 0x0
 00786   384   NtRegisterThreadTerminatePort  (28, ...
 00783  1180   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00786   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00787  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00788  1252   NtWaitForSingleObject  (92, 0, 0x0, ...
 00789   384   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00787  1744   NtAllocateVirtualMemory  ... 13631488, 1048576, ) == 0x0
 00790  1180   NtTerminateThread  (0, 0, ...
 00791  1028   NtFreeVirtualMemory  (-1, (0xc00000), 0, 32768, ...
 00792  1744   NtAllocateVirtualMemory  (-1, 14671872, 0, 8192, 4096, 4, ...
 00789   384   NtSetInformationThread  ... ) == 0x0
 00791  1028   NtFreeVirtualMemory  ... (0xc00000), 1048576, ) == 0x0
 00792  1744   NtAllocateVirtualMemory  ... 14671872, 8192, ) == 0x0
 00793  1744   NtProtectVirtualMemory  (-1, (0xdfe000), 4096, 260, ... (0xdfe000), 4096, 4, ) == 0x0
 00794  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1244104, 1244048, 1, ... 88, {1736, 420}, ) == 0x0
 00795  1744   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=420,}, 0x0, ) == 0x0
 00796  1744   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1744, 75516, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367X\0\0\0\310\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367X\0\0\0\310\6\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75520, 0}  (28, {28, 56, new_msg, 0, 1736, 1744, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367X\0\0\0\310\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\200\274\262\367X\0\0\0\310\6\0\0\244\1\0\0" )  ) == 0x0
 00797  1744   NtResumeThread  (88, ... 1, ) == 0x0
 00798  1744   NtClose  (88, ... ) == 0x0
 00799  1744   NtWaitForSingleObject  (96, 0, 0x0, ...
 00800   420   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 420, 75521, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 420, 75521, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 420, 75521, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00801   420   NtTestAlert  (... ) == 0x0
 00802   420   NtContinue  (14679344, 1, ...
 00803   420   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00804   420   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00805   384   NtSetEvent  (92, ... 0x0, ) == 0x0
 00806   384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 88, ) == 0x0
 00807   384   NtCallbackReturn  (0, 0, 0, ...
 00788  1252   NtWaitForSingleObject  ... ) == 0x0
 00808  1180   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ...
 00804   420   NtSetInformationThread  ... ) == 0x0
 00808  1180   NtFreeVirtualMemory  ... (0x900000), 1048576, ) == 0x0
 00809  1252   NtClose  (92, ...
 00810   420   NtSetEvent  (96, ...
 00809  1252   NtClose  ... ) == 0x0
 00799  1744   NtWaitForSingleObject  ... ) == 0x0
 00810   420   NtSetEvent  ... 0x0, ) == 0x0
 00811  1744   NtClose  (96, ...
 00812  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00811  1744   NtClose  ... ) == 0x0
 00813   420   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00814  1744   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1244568,  (0x40100080, {24, 0, 0x42, 0, 1244568, "\??\c:\WINDOWS\system32\drivers\etc\hosts"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00812  1252   NtCreateEvent  ... 96, ) == 0x0
 00815  1744   NtClose  (-2147482576, ...
 00813   420   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00816   384   NtUserBuildHwndList  (0, 0, 0, 0, 64, ...
 00815  1744   NtClose  ... ) == 0x0
 00817   420   NtTerminateThread  (0, 0, ...
 00814  1744   NtCreateFile  ... 92, {status=0x0, info=3}, ) == 0x0
 00816   384   NtUserBuildHwndList  ... (0x1a00f4, 0x5009e, 0x400fa, 0x10074, 0x10070, 0x10080, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x1401b6, 0xc01d2, 0xd0102, 0x500a2, 0xd011a, 0x10090, 0x100d0, 0x200b0, 0x100cc, 0x13010c, 0x16012c, 0x7015a, 0xd01c8, 0xe01ac, 0xc01d0, 0xa01cc, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 61, ) == 0x0
 00818  1252   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00819  1744   NtQueryVolumeInformationFile  (92, 1244672, 8, Device, ...
 00820   384   NtUserValidateHandleSecure  (1704180, ...
 00819  1744   NtQueryVolumeInformationFile  ... {status=0x0, info=8}, ) == 0x0
 00818  1252   NtAllocateVirtualMemory  ... 9437184, 1048576, ) == 0x0
 00821  1744   NtAllocateVirtualMemory  (-1, 3297280, 0, 8192, 4096, 4, ...
 00820   384   NtUserValidateHandleSecure  ... ) == 0x1
 00821  1744   NtAllocateVirtualMemory  ... 3297280, 8192, ) == 0x0
 00822  1252   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ...
 00823  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "\15\12127.0.0.1\11localhost\15\12127.0.0.1\11www.symantec.com\15\12127.0.0.1\11securityresponse.symantec.com\15\12127.0.0.1\11downloads1.kaspersky-labs.com\15\12127.0.0.1\11downloads2.kaspersky-labs.com\15\12127.0.0.1\11downloads3.kaspersky-labs.com\15\12127.0.0.1\11downloads4.kaspersky-labs.com\15\12127.0.0.1\11downloads5.kaspersky-labs.com\15\12127.0.0.1\11www.kaspersky-labs.com\15\12127.0.0.1\11symantec.com\15\12127.0.0.1\11www.sophos.com\15\12127.0.0.1\11sophos.com\15\12127.0.0.1\11www.mcafee.com\15\12127.0.0.1\11mcafee.com\15\12127.0.0.1\11liveupdate.symantecliveupdate.com\15\12127.", 1024, 0x0, 0, ... , 1024, 0x0, 0, ...
 00824   384   NtUserQueryWindow  (1704180, 0, ...
 00823  1744   NtWriteFile  ... {status=0x0, info=1024}, ) == 0x0
 00822  1252   NtAllocateVirtualMemory  ... 10477568, 8192, ) == 0x0
 00825  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "\15\12127.0.0.1\11www.nai.com\15\12127.0.0.1\11update.symantec.com\15\12127.0.0.1\11updates.symantec.com\15\12127.0.0.1\11us.mcafee.com\15\12127.0.0.1\11liveupdate.symantec.com\15\12127.0.0.1\11customer.symantec.com\15\12127.0.0.1\11rads.mcafee.com\15\12127.0.0.1\11trendmicro.com\15\12127.0.0.1\11www.trendmicro.com\15\12127.0.0.1\11vncsvr.com\15\12127.0.0.1\11secdreg.org\15\12127.0.0.1\11virusscan.jotti.org\15\12127.0.0.1\11virustotal.com\15\12127.0.0.1\11www.virustotal.com\15\12127.0.0.1\11www.jotti.org\15\12127.0.0.1\11cdn.atwola.com\15\12127.0.0.1\11www.atwola.com\15\12127.0.0.1\11support.microsoft", 1024, 0x0, 0, ... , 1024, 0x0, 0, ...
 00824   384   NtUserQueryWindow  ... ) == 0x6b8
 00825  1744   NtWriteFile  ... {status=0x0, info=1024}, ) == 0x0
 00826  1252   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ...
 00827   420   NtFreeVirtualMemory  (-1, (0xd00000), 0, 32768, ...
 00828  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "0.1\11www.sophos.com\15\12127.0.0.1\11www.symantec.com\15\12127.0.0.1\11www.trendmicro.com\15\12127.0.0.1\11www.viruslist.ru\15\12127.0.0.1\11www3.ca.com\15\12127.0.0.1\11www.advancedcleaner.com\15\12127.0.0.1\11advancedcleaner.com\15\12127.0.0.1\11secure.advancedcleaner.com\15\12127.0.0.1\11protect.advancedcleaner.com\15\12127.0.0.1\11jsp.advancedcleaner.com\15\12127.0.0.1\11liveupdatesnet.com\15\12127.0.0.1\11www.liveupdatesnet.com\15\12127.0.0.1\11theinstalls.com\15\12127.0.0.1\11www.theinstalls.com\15\12127.0.0.1\11allofyouwant.com\15\12127.0.0.1\11www.here4search.biz\15\12127.0.0.1\11he", 1024, 0x0, 0, ... , 1024, 0x0, 0, ...
 00827   420   NtFreeVirtualMemory  ... (0xd00000), 1048576, ) == 0x0
 00828  1744   NtWriteFile  ... {status=0x0, info=1024}, ) == 0x0
 00829  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "nt.net\15\12127.0.0.1\11www.mediacount.net\15\12127.0.0.1\11bin.errorprotector.com\15\12127.0.0.1\11www.errorprotector.com\15\12127.0.0.1\11br.errorsafe.com\15\12127.0.0.1\11www.errorsafe.com\15\12127.0.0.1\11br.winantivirus.com\15\12127.0.0.1\11www.winantivirus.com\15\12127.0.0.1\11br.winfixer.com\15\12127.0.0.1\11www.winfixer.com\15\12127.0.0.1\11cdn.drivecleaner.com\15\12127.0.0.1\11www.drivecleaner.com\15\12127.0.0.1\11cdn.errorsafe.com\15\12127.0.0.1\11www.errorsafe.com\15\12127.0.0.1\11cdn.winsoftware.com\15\12127.0.0.1\11www.winsoftware.com\15\12127.0.0.1\11de.errorsafe.com\15\12127.0.0", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00830  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "antivirus.com\15\12127.0.0.1\11fr.winantivirus.com\15\12127.0.0.1\11fr.winfixer.com\15\12127.0.0.1\11go.drivecleaner.com\15\12127.0.0.1\11go.errorsafe.com\15\12127.0.0.1\11g", 143, 0x0, 0, ... {status=0x0, info=143}, ) , 143, 0x0, 0, ... {status=0x0, info=143}, ) == 0x0
 00831  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "o.winantispyware.com\15\12127.0.0.1\11go.winantivirus.com\15\12127.0.0.1\11hk.winantivirus.com\15\12127.0.0.1\11instlog.errorsafe.com\15\12127.0.0.1\11instlog.winantivirus.com\15\12127.0.0.1\11instlog.winfixer.com\15\12127.0.0.1\11jsp.drivecleaner.com\15\12127.0.0.1\11kb.errorsafe.com\15\12127.0.0.1\11kb.winantivirus.com\15\12127.0.0.1\11nl.errorsafe.com\15\12127.0.0.1\11se.errorsafe.com\15\12127.0.0.1\11secure.drivecleaner.com\15\12127.0.0.1\11secure.errorsafe.com\15\12127.0.0.1\11secure.winantispam.com\15\12127.0.0.1\11secure.winantispy.com\15\12127.0.0.1\11secure.winantivirus.com\15", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00832  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "ti-virus-pro.com\15\12127.0.0.1\11www.win-virus-pro.com\15\12127.0.0.1\11www.winantispam.com\15\12127.0.0.1\11www.winantispy.com\15\12127.0.0.1\11www.winantispyware.com\15\12127.0.0.1\11www.winantivirus.com\15\12127.0.0.1\11www.winantiviruspro.com\15\12127.0.0.1\11www.windrivecleaner.com\15\12127.0.0.1\11www.windrivesafe.com\15\12127.0.0.1\11www.winfixer.com\15\12127.0.0.1\11www.winfixer2006.com\15\12127.0.0.1\11www.winsoftware.com\15\12127.0.0.1\11www.usagc.org\15\12127.0.0.1\11www.prospywareremover.com\15\12127.0.0.1\11prospywareremover.com\15\12127.0.0.1\11www.noadware.com--e.com\15", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00833  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "0.0.1\11computerspywarecheck.com\15\12127.0.0.1\11www.compare-spyware.com\15\12127.0.0.1\11compare-spyware.com\15\12127.0.0.1\11www.spywareremoval.ws\15\12127.0.0.1\11spywareremoval.ws\15\12127.0.0.1\11www.ridadware.org\15\12127.0.0.1\11ridadware.org\15\12127.0.0.1\11www.elimiware.com\15\12127.0.0.1\11elimiware.com\15\12127.0.0.1\11www.nomorespyware.net\15\12127.0.0.1\11nomorespyware.net\15\12127.0.0.1\11www.123-spyware-remover.com\15\12127.0.0.1\11123-spyware-remover.com\15\12127.0.0.1\11www.spyware-adware-removal.net\15\12127.0.0.1\11spyware-adware-removal.net\15\12127.0.0.1\11www.sp", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00834  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "0.1\11popuptraffic.com\15\12127.0.0.1\11fastclick.com\15\12127.0.0.1\11fastclick.net\15\12127.0.0.1\11adserving.cpxinteractive.com\15\12127.0.0.1\11www.usafis.org\15\12127.0.0.1\11brazauskas.info\15\12127.0.0.1\11centralgate.biz\15\12127.0.0.1\11clickfast.biz\15\12127.0.0.1\11code.jcash.biz\15\12127.0.0.1\11code.trasferimento.biz\15\12127.0.0.1\11cyber-search.biz\15\12127.0.0.1\11download.accessmedia.tv\15\12127.0.0.1\11download.jupitersatellites.biz\15\12127.0.0.1\11exeloads.info\15\12127.0.0.1\11forlink.biz\15\12127.0.0.1\11game4all.biz\15\12127.0.0.1\11get-access.host.sk\15\12127.0.0.1\11musah.", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00835  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "ff4ppc.biz\15\12127.0.0.1\11www.zgallery.us\15\12127.0.0.1\11ybbwxlxytz.biz\15\12127.0.0.1\11yepjnddqpq.biz\15\12127.0.0.1\11yhvoo.eseconsult.info\15\12127.0.0.1\11zchxsi", 140, 0x0, 0, ... {status=0x0, info=140}, ) , 140, 0x0, 0, ... {status=0x0, info=140}, ) == 0x0
 00836  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "kpgz.biz\15\12127.0.0.1\11zgallery.us\15\12127.0.0.1\11mmsk.cn\15\12127.0.0.1\11ikaka.com\15\12127.0.0.1\11safe.qq.com\15\12127.0.0.1\11360safe.com\15\12127.0.0.1\11www.mmsk.cn\15\12127.0.0.1\11www.ikaka.com\15\12127.0.0.1\11tool.ikaka.com\15\12127.0.0.1\11www.360safe.com\15\12127.0.0.1\11zs.kingsoft.com\15\12127.0.0.1\11forum.ikaka.com\15\12127.0.0.1\11up.rising.com.cn\15\12127.0.0.1\11scan.kingsoft.com\15\12127.0.0.1\11kvup.jiangmin.com\15\12127.0.0.1\11reg.rising.com.cn\15\12127.0.0.1\11update.rising.com.cn\15\12127.0.0.1\11update7.jiangmin.com\15\12127.0.0.1\11download.rising.com.cn\15\12127.0.0.1\11dnl", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00837  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "0.0.1\11dnl-eu5.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu6.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu7.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu8.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu9.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu10.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu11.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu12.kaspersky-labs.com\15\12127.0.0.1\11dnl-eu13.kaspersky-labs.com\15\12127.0.0.1\11dnl-cd1.kaspersky-labs.com\15\12127.0.0.1\11dnl-ru1.kaspersky-labs.com\15\12127.0.0.1\11dnl-ru2.kaspersky-labs.com\15\12127.0.0.1\11dnl-ru5.kaspersky-labs.com\15\12127.0.", 1024, 0x0, 0, ... {status=0x0, info=1024}, ) , 1024, 0x0, 0, ... {status=0x0, info=1024}, ) == 0x0
 00838  1744   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "o\15\12127.0.0.1\11darksheekz.info\15\12127.0.0.1\11pcsecuritylab.com\15\12127.0.0.1\11liveupdatesnet.com\15\12127.0.0.1\11rhythmswing.org\15\12127.0.0.1\11www.rhythmswing.org\15\12127.0.0.1\11pool.hybridtx.com\15\12127.0.0.1\11hybridtx.com\15\12127.0.0.1\11in1.smtp.messagingengine.com\15\12127.0.0.1\11messagingengine.com\15\12127.0.0.1\11h.gtld-servers.net\15\12127.0.0.1\11gtld-servers.net\15\12127.0.0.1\11mail7.digitalwaves.co.nz\15\12127.0.0.1\11netau.dk\15\12127.0.0.1\11www.netau.dk\15\12127.0.0.1\11eircd.zief.pl\15\12127.0.0.1\11zief.pl\15\12127.0.0.1\11proxim.ircgalaxy.pl\15\12127.0.0.1\11proxim", 836, 0x0, 0, ... {status=0x0, info=836}, ) , 836, 0x0, 0, ... {status=0x0, info=836}, ) == 0x0
 00839  1744   NtClose  (92, ... ) == 0x0
 00840  1744   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00841  1744   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00842  1744   NtUserGetThreadState  (4, ... ) == 0x5a01f7
 00843  1744   NtUserValidateHandleSecure  (5898743, ... ) == 0x1
 00844  1744   NtClose  (76, ... ) == 0x0
 00845  1744   NtClose  (72, ... ) == 0x0
 00846  1744   NtTerminateThread  (0, 0, ...
 00847  1744   NtFreeVirtualMemory  (-1, (0x30000), 0, 32768, ... (0x30000), 1048576, ) == 0x0
 00826  1252   NtProtectVirtualMemory  ... (0x9fe000), 4096, 4, ) == 0x0
 00848  1252   NtCreateThread  (0x1f03ff, 0x0, -1, 11533196, 11533140, 1, ... 32, {1736, 596}, ) == 0x0
 00849  1252   NtQueryInformationThread  (32, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1736,Tid=596,}, 0x0, ) == 0x0
 00850  1252   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1252, 75515, 0}  (28, {28, 56, new_msg, 0, 1736, 1252, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0T\2\0\0" ...  ...
 00851   384   NtUserQueryWindow  (1704180, 1, ... ) == 0x6d4
 00852   384   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 00853   384   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 00850  1252   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1252, 75525, 0}  ... {28, 56, reply, 0, 1736, 1252, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0T\2\0\0" )  ) == 0x0
 00854  1252   NtResumeThread  (32, ...
 00855   596   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 596, 75526, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 596, 75526, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 596, 75526, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00856   596   NtTestAlert  (... ) == 0x0
 00857   596   NtContinue  (10485040, 1, ...
 00858   596   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00859   596   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00854  1252   NtResumeThread  ... 1, ) == 0x0
 00860  1252   NtClose  (32, ... ) == 0x0
 00861  1252   NtWaitForSingleObject  (96, 0, 0x0, ...
 00862   384   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 00863   384   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 00864   384   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 00859   596   NtSetInformationThread  ... ) == 0x0
 00865   596   NtSetEvent  (96, ... 0x0, ) == 0x0
 00866   596   NtRaiseException  (10484848, 10484108, 1, ...
 00867   596   NtContinue  (10483068, 0, ...
 00868   596   NtWaitForSingleObject  (56, 0, 0x0, ...
 00861  1252   NtWaitForSingleObject  ... ) == 0x0
 00869   384   NtUserQueryWindow  (262394, 1, ...
 00870  1252   NtClose  (96, ...
 00869   384   NtUserQueryWindow  ... ) == 0x6d4
 00870  1252   NtClose  ... ) == 0x0
 00871   384   NtUserValidateHandleSecure  (65652, ...
 00872  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00871   384   NtUserValidateHandleSecure  ... ) == 0x1
 00872  1252   NtCreateEvent  ... 96, ) == 0x0
 00873   384   NtUserQueryWindow  (65652, 0, ...
 00868   596   NtWaitForSingleObject  ... ) == 0x0
 00873   384   NtUserQueryWindow  ... ) == 0x6b8
 00874   596   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... }, ...
 00875  1252   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00874   596   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875  1252   NtAllocateVirtualMemory  ... 196608, 1048576, ) == 0x0
 00876   596   NtReleaseMutant  (56, ...
 00877  1252   NtAllocateVirtualMemory  (-1, 1236992, 0, 8192, 4096, 4, ...
 00876   596   NtReleaseMutant  ... 0x0, ) == 0x0
 00877  1252   NtAllocateVirtualMemory  ... 1236992, 8192, ) == 0x0
 00878   384   NtUserQueryWindow  (65652, 1, ...
 00879  1252   NtProtectVirtualMemory  (-1, (0x12e000), 4096, 260, ...
 00878   384   NtUserQueryWindow  ... ) == 0x6d4
 00879  1252   NtProtectVirtualMemory  ... (0x12e000), 4096, 4, ) == 0x0
 00880   384   NtUserValidateHandleSecure  (65648, ...
 00881   596   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00880   384   NtUserValidateHandleSecure  ... ) == 0x1
 00881   596   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00882   384   NtUserQueryWindow  (65648, 0, ...
 00883   596   NtTerminateThread  (0, 0, ...
 00882   384   NtUserQueryWindow  ... ) == 0x6b8
 00884   596   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ...
 00885  1252   NtCreateThread  (0x1f03ff, 0x0, -1, 11533196, 11533140, 1, ...
 00884   596   NtFreeVirtualMemory  ... (0x900000), 1048576, ) == 0x0
 00885  1252   NtCreateThread  ... 32, {1736, 376}, ) == 0x0
 00886  1252   NtQueryInformationThread  (32, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1736,Tid=376,}, 0x0, ) == 0x0
 00887  1252   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1252, 75525, 0}  (28, {28, 56, new_msg, 0, 1736, 1252, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1736, 1252, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1736, 1252, 75528, 0}  (28, {28, 56, new_msg, 0, 1736, 1252, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1736, 1252, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221| \0\0\0\310\6\0\0x\1\0\0" )  ) == 0x0
 00888  1252   NtResumeThread  (32, ...
 00889   376   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 376, 75529, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ... {24, 52, reply, 0, 1736, 376, 75529, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ... {24, 52, reply, 0, 1736, 376, 75529, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00890   376   NtTestAlert  (... ) == 0x0
 00891   376   NtContinue  (1244464, 1, ...
 00892   376   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00893   376   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00894   376   NtSetEvent  (96, ... 0x0, ) == 0x0
 00895   376   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 72, ) }, ... 72, ) == 0x0
 00896   376   NtWaitForSingleObject  (72, 0, {-1800000000, -1}, ...
 00888  1252   NtResumeThread  ... 1, ) == 0x0
 00897   384   NtUserQueryWindow  (65648, 1, ...
 00898  1252   NtClose  (32, ...
 00897   384   NtUserQueryWindow  ... ) == 0x6d4
 00898  1252   NtClose  ... ) == 0x0
 00899   384   NtUserValidateHandleSecure  (65664, ...
 00900  1252   NtWaitForSingleObject  (96, 0, 0x0, ...
 00899   384   NtUserValidateHandleSecure  ... ) == 0x1
 00896   376   NtWaitForSingleObject  ... ) == 0x0
 00901   384   NtUserQueryWindow  (65664, 0, ...
 00902   376   NtClose  (72, ...
 00901   384   NtUserQueryWindow  ... ) == 0x6b8
 00902   376   NtClose  ... ) == 0x0
 00900  1252   NtWaitForSingleObject  ... ) == 0x0
 00903   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00904  1252   NtClose  (96, ...
 00903   376   NtCreateEvent  ... 72, ) == 0x0
 00904  1252   NtClose  ... ) == 0x0
 00905   384   NtUserQueryWindow  (65664, 1, ...
 00906  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00905   384   NtUserQueryWindow  ... ) == 0x6d4
 00906  1252   NtCreateEvent  ... 96, ) == 0x0
 00907   384   NtUserValidateHandleSecure  (65668, ...
 00908   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00907   384   NtUserValidateHandleSecure  ... ) == 0x1
 00908   376   NtDuplicateObject  ... 32, ) == 0x0
 00909   384   NtUserQueryWindow  (65668, 0, ...
 00910   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\267aJ\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00909   384   NtUserQueryWindow  ... ) == 0x6b8
 00911   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 00912  1252   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00911   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 00912  1252   NtAllocateVirtualMemory  ... 9437184, 1048576, ) == 0x0
 00913   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 00914  1252   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ...
 00915   384   NtUserQueryWindow  (65668, 1, ...
 00914  1252   NtAllocateVirtualMemory  ... 10477568, 8192, ) == 0x0
 00915   384   NtUserQueryWindow  ... ) == 0x6d4
 00916  1252   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ...
 00917   384   NtUserValidateHandleSecure  (196680, ...
 00916  1252   NtProtectVirtualMemory  ... (0x9fe000), 4096, 4, ) == 0x0
 00917   384   NtUserValidateHandleSecure  ... ) == 0x1
 00913   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 00918   384   NtUserQueryWindow  (196680, 0, ...
 00919   376   NtQuerySystemInformation  (Performance, 312, ...
 00918   384   NtUserQueryWindow  ... ) == 0x6b8
 00919   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 00920  1252   NtCreateThread  (0x1f03ff, 0x0, -1, 11533196, 11533140, 1, ...
 00921   376   NtQuerySystemInformation  (Exception, 16, ...
 00920  1252   NtCreateThread  ... 76, {1736, 1168}, ) == 0x0
 00921   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 00922  1252   NtQueryInformationThread  (76, Basic, 28, ...
 00923   376   NtQuerySystemInformation  (Lookaside, 32, ...
 00922  1252   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=1168,}, 0x0, ) == 0x0
 00924   384   NtUserQueryWindow  (196680, 1, ...
 00925  1252   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1252, 75528, 0}  (28, {28, 56, new_msg, 0, 1736, 1252, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221|L\0\0\0\310\6\0\0\220\4\0\0" ...  ...
 00924   384   NtUserQueryWindow  ... ) == 0x6d4
 00926   384   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 00927   384   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 00928   384   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 00929   384   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 00930   384   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 00923   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 00925  1252   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1252, 75530, 0}  ... {28, 56, reply, 0, 1736, 1252, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221|L\0\0\0\310\6\0\0\220\4\0\0" )  ) == 0x0
 00931   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 00932  1252   NtResumeThread  (76, ...
 00931   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 00933  1168   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ...  ...
 00932  1252   NtResumeThread  ... 1, ) == 0x0
 00933  1168   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 1736, 1168, 75531, 0}  ... {24, 52, reply, 0, 1736, 1168, 75531, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00934   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 00935  1168   NtTestAlert  (...
 00936  1252   NtClose  (76, ...
 00935  1168   NtTestAlert  ... ) == 0x0
 00934   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 00937  1168   NtContinue  (10485040, 1, ...
 00936  1252   NtClose  ... ) == 0x0
 00938  1168   NtRegisterThreadTerminatePort  (28, ...
 00939   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00938  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 00940  1252   NtWaitForSingleObject  (96, 0, 0x0, ...
 00941   384   NtUserQueryWindow  (131154, 1, ...
 00942  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00939   376   NtCreateKey  ... -2147482576, 2, ) == 0x0
 00941   384   NtUserQueryWindow  ... ) == 0x6d4
 00943   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\225\256\252\266\240G7j\377\317\230UO\224\350\13k\12\25\25\303a9\30\327\332"F \246\10M\204\267\300\315o\24\360k\334\34\307 h\211-\201\1\16^w\272\231\217V\207\253q\177rUsf\342y\260\257|\263\340\32\338\360\2657 JC", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\225\256\252\266\240G7j\377\317\230UO\224\350\13k\12\25\25\303a9\30\327\332"F \246\10M\204\267\300\315o\24\360k\334\34\307 h\211-\201\1\16^w\272\231\217V\207\253q\177rUsf\342y\260\257|\263\340\32\338\360\2657 JC", 80, ... F \246\10M\204\267\300\315o\24\360k\334\34\307 h\211-\201\1\16^w\272\231\217V\207\253q\177rUsf\342y\260\257|\263\340\32\338\360\2657 JC", 80, ...
 00944   384   NtUserValidateHandleSecure  (327836, ...
 00943   376   NtSetValueKey  ... ) == 0x0
 00944   384   NtUserValidateHandleSecure  ... ) == 0x1
 00945   376   NtClose  (-2147482576, ...
 00946   384   NtUserQueryWindow  (327836, 0, ...
 00945   376   NtClose  ... ) == 0x0
 00946   384   NtUserQueryWindow  ... ) == 0x6b8
 00910   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\251b\4\25\24)&\274y]mS\203EF\324x\205\377\272\324\166\334f\5 m\273L`\336\226\343\366\277\342\13A\376sxyx{<\335\372\216\277k\256\1\365\303\321\337\4"\362\327\372\277\375\\15\201\274\347\304\2123\206\377\5g*\310K\16_2\277\301\2446M\273\303wtz&\347\277\203\3179!\201\250\373#\310h\362_\321C\376\327C\227\3\20A\317W\375\337\300\220\355\202g\11>\361\215\250\62\263@c\27\357r[.\355\12\305\264\252 \250\240@\213\21L\376\301\2\234\315b\3\20\222\212\32\217\377\271\205\320\27^X\342E\232(\266~\307}\222\305n\274\301s,eI|\32C\241[,_\363W#\247\276\314\372@\214\364\351f\302D\272\327\251\312hH\311\377"1\232\21\13\320\257;-\342d\21'\203\371\307\\323\313zx\206\25\353\312\6!.\6\323u\226~\201\357a\317\305\364", ) \362\327\372\277\375\\15\201\274\347\304\2123\206\377\5g*\310K\16_2\277\301\2446M\273\303wtz&\347\277\203\3179!\201\250\373#\310h\362_\321C\376\327C\227\3\20A\317W\375\337\300\220\355\202g\11>\361\215\250\62\263@c\27\357r[.\355\12\305\264\252 \250\240@\213\21L\376\301\2\234\315b\3\20\222\212\32\217\377\271\205\320\27^X\342E\232(\266~\307}\222\305n\274\301s,eI|\32C\241[,_\363W#\247\276\314\372@\214\364\351f\302D\272\327\251\312hH\311\377 ... {status=0x0, info=256}, "\251b\4\25\24)&\274y]mS\203EF\324x\205\377\272\324\166\334f\5 m\273L`\336\226\343\366\277\342\13A\376sxyx{<\335\372\216\277k\256\1\365\303\321\337\4"\362\327\372\277\375\\15\201\274\347\304\2123\206\377\5g*\310K\16_2\277\301\2446M\273\303wtz&\347\277\203\3179!\201\250\373#\310h\362_\321C\376\327C\227\3\20A\317W\375\337\300\220\355\202g\11>\361\215\250\62\263@c\27\357r[.\355\12\305\264\252 \250\240@\213\21L\376\301\2\234\315b\3\20\222\212\32\217\377\271\205\320\27^X\342E\232(\266~\307}\222\305n\274\301s,eI|\32C\241[,_\363W#\247\276\314\372@\214\364\351f\302D\272\327\251\312hH\311\377"1\232\21\13\320\257;-\342d\21'\203\371\307\\323\313zx\206\25\353\312\6!.\6\323u\226~\201\357a\317\305\364", ) , ) == 0x0
 00942  1168   NtSetInformationThread  ... ) == 0x0
 00947   384   NtUserQueryWindow  (327836, 1, ...
 00948  1168   NtSetEvent  (96, ...
 00947   384   NtUserQueryWindow  ... ) == 0x6d4
 00948  1168   NtSetEvent  ... 0x0, ) == 0x0
 00949   384   NtUserValidateHandleSecure  (1311158, ...
 00940  1252   NtWaitForSingleObject  ... ) == 0x0
 00950  1168   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00949   384   NtUserValidateHandleSecure  ... ) == 0x1
 00951  1252   NtClose  (96, ...
 00950  1168   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00952   384   NtUserQueryWindow  (1311158, 0, ...
 00951  1252   NtClose  ... ) == 0x0
 00953  1168   NtTerminateThread  (0, 0, ...
 00952   384   NtUserQueryWindow  ... ) == 0x6b8
 00954  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00955   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00956  1168   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ...
 00954  1252   NtCreateEvent  ... 96, ) == 0x0
 00956  1168   NtFreeVirtualMemory  ... (0x900000), 1048576, ) == 0x0
 00957   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 00958   384   NtUserQueryWindow  (1311158, 1, ...
 00957   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 00958   384   NtUserQueryWindow  ... ) == 0x6d4
 00959   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 00960   384   NtUserValidateHandleSecure  (786898, ...
 00959   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 00960   384   NtUserValidateHandleSecure  ... ) == 0x1
 00961   376   NtQuerySystemInformation  (Performance, 312, ...
 00962   384   NtUserQueryWindow  (786898, 0, ...
 00963  1252   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00962   384   NtUserQueryWindow  ... ) == 0x6b8
 00963  1252   NtAllocateVirtualMemory  ... 9437184, 1048576, ) == 0x0
 00961   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 00964  1252   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ...
 00965   376   NtQuerySystemInformation  (Exception, 16, ...
 00964  1252   NtAllocateVirtualMemory  ... 10477568, 8192, ) == 0x0
 00965   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 00966  1252   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ...
 00967   376   NtQuerySystemInformation  (Lookaside, 32, ...
 00966  1252   NtProtectVirtualMemory  ... (0x9fe000), 4096, 4, ) == 0x0
 00967   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 00968   384   NtUserQueryWindow  (786898, 1, ...
 00969   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 00968   384   NtUserQueryWindow  ... ) == 0x6d4
 00970  1252   NtCreateThread  (0x1f03ff, 0x0, -1, 11533196, 11533140, 1, ...
 00971   384   NtUserValidateHandleSecure  (852226, ...
 00970  1252   NtCreateThread  ... 76, {1736, 120}, ) == 0x0
 00971   384   NtUserValidateHandleSecure  ... ) == 0x1
 00972  1252   NtQueryInformationThread  (76, Basic, 28, ...
 00973   384   NtUserQueryWindow  (852226, 0, ...
 00972  1252   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=120,}, 0x0, ) == 0x0
 00973   384   NtUserQueryWindow  ... ) == 0x6b8
 00974  1252   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1736, 1252, 75530, 0}  (28, {28, 56, new_msg, 0, 1736, 1252, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221|L\0\0\0\310\6\0\0x\0\0\0" ...  ...
 00969   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 00975   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00976   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00977   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\234Xn(\220\323\225\373\256\12&\25\244\251y\35]\11W\370\343\244n\323=\267\2369n*\307\347f\1\234tkuo\312F\36\226\212"\264\377\364f\277p\177\7\346vS\N\256ez\334\35\324a\2230u_\15Q\217\344\1\16\365\320v\323\264", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\234Xn(\220\323\225\373\256\12&\25\244\251y\35]\11W\370\343\244n\323=\267\2369n*\307\347f\1\234tkuo\312F\36\226\212"\264\377\364f\277p\177\7\346vS\N\256ez\334\35\324a\2230u_\15Q\217\344\1\16\365\320v\323\264", 80, ... ) \264\377\364f\277p\177\7\346vS\N\256ez\334\35\324a\2230u_\15Q\217\344\1\16\365\320v\323\264", 80, ... ) == 0x0
 00978   376   NtClose  (-2147482576, ... ) == 0x0
 00955   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\306 \306\370\277\355.\0\276\210=u\12\227)i_Om\14fr\323\336\5\31\235c\36\277\2040\317\332v;\303\201\332\223\313B\311y(c\362\327\204\222\213S'\0\364\11\225L\215\32$5\13O\245\32\236~\264\275\272_\302\334\227\302\317\347\353\270\35@9'\314\215\355\207<\302\207\1\344mu\33\364\5\222|0+\267\5\231\305\231\264$\24q\325n(\23\35p\220\306\177I\310\370\245\230U5\370\334\201\231~\204B\27BZky]a\233\3734\234\327\255\3529\303\\1f$\357C\266U\177\313\340\6\26:V\206\217\311\350\374\34\27:\3477\311\355\261\11\240\3200r&\4ZW\337\316\343\25\243~u\231\345y\200u\223\313\311\255\30\222T\361\361U\245h\373\3456\351\255\346\360?I\6\335\224\20\346\346\22\344\376-\201NK:I\2345\306\204y\340\323-=\236P\255\221\6\210\341\342\207\27\221", ) , ) == 0x0
 00979   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\14\33\12\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00980   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 00981   384   NtUserQueryWindow  (852226, 1, ...
 00974  1252   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1252, 75533, 0}  ... {28, 56, reply, 0, 1736, 1252, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\5\221|L\0\0\0\310\6\0\0x\0\0\0" )  ) == 0x0
 00981   384   NtUserQueryWindow  ... ) == 0x6d4
 00982  1252   NtResumeThread  (76, ...
 00983   384   NtUserValidateHandleSecure  (327842, ...
 00984   120   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0:\0\0\0\0\0" ...  ...
 00982  1252   NtResumeThread  ... 1, ) == 0x0
 00984   120   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 1736, 120, 75534, 0}  ... {24, 52, reply, 0, 1736, 120, 75534, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0:\0\0\0\0\0" )  ) == 0x0
 00983   384   NtUserValidateHandleSecure  ... ) == 0x1
 00985   120   NtTestAlert  (...
 00986  1252   NtClose  (76, ...
 00985   120   NtTestAlert  ... ) == 0x0
 00987   384   NtUserQueryWindow  (327842, 0, ...
 00988   120   NtContinue  (10485040, 1, ...
 00986  1252   NtClose  ... ) == 0x0
 00989   120   NtRegisterThreadTerminatePort  (28, ...
 00987   384   NtUserQueryWindow  ... ) == 0x6b8
 00989   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 00990  1252   NtWaitForSingleObject  (96, 0, 0x0, ...
 00980   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 00991   120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00992   384   NtUserQueryWindow  (327842, 1, ...
 00993   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 00992   384   NtUserQueryWindow  ... ) == 0x6d4
 00993   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 00994   384   NtUserValidateHandleSecure  (852250, ...
 00995   376   NtQuerySystemInformation  (Performance, 312, ...
 00994   384   NtUserValidateHandleSecure  ... ) == 0x1
 00995   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 00996   384   NtUserQueryWindow  (852250, 0, ...
 00997   376   NtQuerySystemInformation  (Exception, 16, ...
 00996   384   NtUserQueryWindow  ... ) == 0x6b8
 00991   120   NtSetInformationThread  ... ) == 0x0
 00997   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 00998   120   NtSetEvent  (96, ...
 00999   376   NtQuerySystemInformation  (Lookaside, 32, ...
 00998   120   NtSetEvent  ... 0x0, ) == 0x0
 00999   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 00990  1252   NtWaitForSingleObject  ... ) == 0x0
 01000   120   NtDuplicateObject  (-1, 2462, -1, 0x0, 0, 2, ...
 01001   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01002  1252   NtClose  (96, ...
 01000   120   NtDuplicateObject  ... ) == STATUS_INVALID_HANDLE
 01001   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01002  1252   NtClose  ... ) == 0x0
 01003   120   NtClose  (0, ...
 01004   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01005  1252   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 01006   384   NtUserQueryWindow  (852250, 1, ...
 01003   120   NtClose  ... ) == STATUS_INVALID_HANDLE
 01005  1252   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 01006   384   NtUserQueryWindow  ... ) == 0x6d4
 01007   120   NtClose  (0, ...
 01004   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01008   384   NtUserValidateHandleSecure  (65680, ...
 01007   120   NtClose  ... ) == STATUS_INVALID_HANDLE
 01009   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01008   384   NtUserValidateHandleSecure  ... ) == 0x1
 01010   120   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 01009   376   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01011   384   NtUserQueryWindow  (65680, 0, ...
 01010   120   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 01012   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\334\324\243\314\345m\345\12\222C\322\322\222@(p\12&#w\335\270\342d\372\221\zO\346e\215n\347\25\352\256@\20\341V-oU\304\324\240\17\371_3\262\310\22\22\350a\267\21\2433\203U\206\362+\213{\32\203\254z`\243\\35\15\262\364\271", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\334\324\243\314\345m\345\12\222C\322\322\222@(p\12&#w\335\270\342d\372\221\zO\346e\215n\347\25\352\256@\20\341V-oU\304\324\240\17\371_3\262\310\22\22\350a\267\21\2433\203U\206\362+\213{\32\203\254z`\243\\35\15\262\364\271", 80, ... , 80, ...
 01011   384   NtUserQueryWindow  ... ) == 0x6b8
 01013   120   NtTerminateThread  (0, 0, ...
 01012   376   NtSetValueKey  ... ) == 0x0
 01014  1252   NtUserCallOneParam  (0, 40, ...
 01015   384   NtUserQueryWindow  (65680, 1, ...
 01016   376   NtClose  (-2147482576, ...
 01014  1252   NtUserCallOneParam  ... ) == 0x4090409
 01015   384   NtUserQueryWindow  ... ) == 0x6bc
 01017   120   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ...
 01018  1252   NtUserGetThreadState  (4, ...
 01017   120   NtFreeVirtualMemory  ... (0x900000), 1048576, ) == 0x0
 01019   384   NtUserValidateHandleSecure  (65744, ...
 01018  1252   NtUserGetThreadState  ... ) == 0x1401e3
 01019   384   NtUserValidateHandleSecure  ... ) == 0x1
 01020  1252   NtUserValidateHandleSecure  (1311203, ...
 01021   384   NtUserQueryWindow  (65744, 0, ...
 01020  1252   NtUserValidateHandleSecure  ... ) == 0x1
 01021   384   NtUserQueryWindow  ... ) == 0x19c
 01016   376   NtClose  ... ) == 0x0
 01022  1252   NtTerminateThread  (0, 0, ...
 00979   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\367:\351\345(\254a\263\5\217\216l{O\343\341\344\275\274-\236\256\370\352z\311m7\247}\316y\247\343\200\230\277uw\372\252"\24*\212\14\240\302\227\233\300\320f"\22\247\264\336\251\221\17\373\244"$U^\22\16\360\13\\20)\270\256\200#\13'aY\35t\256\233\237_J\14\337\4\372\262\14Qk\32\244W\277I\336%\327\262y\225\247\352\345;\31\247\31Wx\16\225t\325\254P\375\27S\327\262Cr\352+\361-U\307\330\313Wt\376$\227\247\36\352.R1\201\241\354\265!\203k\343\3\352\327\177?\314\310\374\250'\306Y\336\227\203\303D\377\5K\312O\250\305\346\247\366\301\17\30#\304\312A\177R\7\315\26\252 \260\365\36*\306\364-\343\307\356\32I\202E\31\234\326\25\23\237\237O\346\267\326\240\3032\224\270\353\21c\17&\305\223\22\222\373h)\22l%_\246\327]\201|i\36\267t\200.\344", ) \24*\212\14\240\302\227\233\300\320f ... {status=0x0, info=256}, "\367:\351\345(\254a\263\5\217\216l{O\343\341\344\275\274-\236\256\370\352z\311m7\247}\316y\247\343\200\230\277uw\372\252"\24*\212\14\240\302\227\233\300\320f"\22\247\264\336\251\221\17\373\244"$U^\22\16\360\13\\20)\270\256\200#\13'aY\35t\256\233\237_J\14\337\4\372\262\14Qk\32\244W\277I\336%\327\262y\225\247\352\345;\31\247\31Wx\16\225t\325\254P\375\27S\327\262Cr\352+\361-U\307\330\313Wt\376$\227\247\36\352.R1\201\241\354\265!\203k\343\3\352\327\177?\314\310\374\250'\306Y\336\227\203\303D\377\5K\312O\250\305\346\247\366\301\17\30#\304\312A\177R\7\315\26\252 \260\365\36*\306\364-\343\307\356\32I\202E\31\234\326\25\23\237\237O\346\267\326\240\3032\224\270\353\21c\17&\305\223\22\222\373h)\22l%_\246\327]\201|i\36\267t\200.\344", ) $U^\22\16\360\13\\20)\270\256\200#\13'aY\35t\256\233\237_J\14\337\4\372\262\14Qk\32\244W\277I\336%\327\262y\225\247\352\345;\31\247\31Wx\16\225t\325\254P\375\27S\327\262Cr\352+\361-U\307\330\313Wt\376$\227\247\36\352.R1\201\241\354\265!\203k\343\3\352\327\177?\314\310\374\250'\306Y\336\227\203\303D\377\5K\312O\250\305\346\247\366\301\17\30#\304\312A\177R\7\315\26\252 \260\365\36*\306\364-\343\307\356\32I\202E\31\234\326\25\23\237\237O\346\267\326\240\3032\224\270\353\21c\17&\305\223\22\222\373h)\22l%_\246\327]\201|i\36\267t\200.\344", ) == 0x0
 01023  1252   NtFreeVirtualMemory  (-1, (0xa00000), 0, 32768, ... (0xa00000), 1048576, ) == 0x0
 01024   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01025   376   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01026   376   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01027   376   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01028   376   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01029   376   NtQuerySystemInformation  (Lookaside, 32, ...
 01030   384   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01031   384   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01032   384   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01033   384   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01034   384   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01035   384   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01029   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01036   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01037   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01038   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 01039   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "3g\27>\357\375\307\25\336\202\274\204\356\210\250\236\331\201\314:%\273}\220\2655%1\21\361\262\301\344L\301fe\2548x\217\10\235a\263\376\327E\304n:\232xz W\30\225\301\361f\324\2401~\306\35\24\14a`rE\234\377:\353S\0", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "3g\27>\357\375\307\25\336\202\274\204\356\210\250\236\331\201\314:%\273}\220\2655%1\21\361\262\301\344L\301fe\2548x\217\10\235a\263\376\327E\304n:\232xz W\30\225\301\361f\324\2401~\306\35\24\14a`rE\234\377:\353S\0", 80, ... ) , 80, ... ) == 0x0
 01040   376   NtClose  (-2147482576, ... ) == 0x0
 01024   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "k\307X"\364\306\10\222\307\206\205>\270\331\371\315N{\267G\242<\10\277\340\302\270;\354{\31\10l7SE\325\347\221D\303\272\223\202\370l\240\245#\\21.\277\207R\370Hx\223%(\27\322fM\353\343E\216\361eD\371\231x\322[\222yL\207^\316%\2.364\306\10\222\307\206\205>\270\331\371\315N{\267G\242<\10\277\340\302\270;\354{\31\10l7SE\325\347\221D\303\272\223\202\370l\240\245#\\21.\277\207R\370Hx\223%(\27\322fM\353\343E\216\361eD\371\231x\322[\222yL\207^\316%\2.272\313&\377p}\337\210\222\3200\\6\307\234\227C7ou\16\5\26\4\241(\355\314tU\313\34\36\207_\327\357\201\20\345\16`\331\363\37\320\320\3031\211^\204\205,\334r\10H)%7F\213\216m`\226\272\302r\214; \235y\316\14I\266\274=\366\314\201\6=7=?d\14\234q\211\27a \373\300\370\5\6\360\203\323\205\342\356C\35c`\345g\3760\361\242zp\337\342A\230\252'\356\314\237\201\356J\233i\260?\343\340KQ\245\251F\266\242L\14\322\7\35\270iUf\266\237y\316\22\235z\251\241\323\234\27\3(", ) == 0x0
 01041   384   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01042   384   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 01043   384   NtUserQueryWindow  (1245452, 0, ... ) == 0x5e8
 01044   384   NtUserQueryWindow  (1245452, 1, ... ) == 0x534
 01045   384   NtUserValidateHandleSecure  (1442092, ... ) == 0x1
 01046   384   NtUserQueryWindow  (1442092, 0, ... ) == 0xa4
 01047   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01048   376   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01049   376   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01050   376   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01051   376   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01052   376   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01053   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01054   384   NtUserQueryWindow  (1442092, 1, ... ) == 0x61c
 01055   384   NtUserValidateHandleSecure  (459098, ... ) == 0x1
 01056   384   NtUserQueryWindow  (459098, 0, ... ) == 0x4b0
 01057   384   NtUserQueryWindow  (459098, 1, ... ) == 0x780
 01058   384   NtUserValidateHandleSecure  (852424, ... ) == 0x1
 01059   384   NtUserQueryWindow  (852424, 0, ... ) == 0x6b8
 01053   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01060   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01061   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 01062   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\367/\204$G2@?#6\354\367\35Z)\337\255\300\367\300\242\210\262M*@&\343\331\23\2\3-\331\11\322\351\10\31\\375\376\320\377\372@\4Z4\376\26S\376W)w65\261<\336\31\351\31i\34\25\226Z\5Mu\221\201\2}\315\213\304\203", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\367/\204$G2@?#6\354\367\35Z)\337\255\300\367\300\242\210\262M*@&\343\331\23\2\3-\331\11\322\351\10\31\\375\376\320\377\372@\4Z4\376\26S\376W)w65\261<\336\31\351\31i\34\25\226Z\5Mu\221\201\2}\315\213\304\203", 80, ... ) , 80, ... ) == 0x0
 01063   376   NtClose  (-2147482576, ... ) == 0x0
 01047   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\272Z\322\233\220\232Gt\304\222\330\207g\222\377\224j\262\7\15\270\20q\300=\335j\7\315\302\362\13\203d\307Z\227\217\376\356\31\371:\345\62~\0\271\276\\317y\356n)\14'\31\24318)\205\236\2448\322\3136\216\224Dwon\273\10nT\264\\253\355\201\263T\34\264q\232UD\215\15\223w\33Y\220\25\341\217B>Us\0y;\242\343pmY\15Ae\260\234\333\370\240\253w,^\223\232\246\7\230\215\361\274=^\241\3426\306\212'w~\313\217>\356\16\177\216\7}\340\10\313\376\331\243#\304\203\14$\376|\265)\313\234\360\344]\21\256\330@\314\223hU\222\214\23\256\255\357U\372\244A\335\374\346\315gO\6\324\364\7JC\21.Y\4\7\325VV\351I/\16)L\213@_\33\332\36\251\21d^\267\227\2\367U\333\14\37\346\220\273\201p \129\276\3364h\332\332V\26\251\342\20c", ) , ) == 0x0
 01064   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01065   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01066   384   NtUserQueryWindow  (852424, 1, ... ) == 0x6d4
 01067   384   NtUserValidateHandleSecure  (917932, ... ) == 0x1
 01068   384   NtUserQueryWindow  (917932, 0, ... ) == 0x6b8
 01069   384   NtUserQueryWindow  (917932, 1, ... ) == 0x6d4
 01070   384   NtUserValidateHandleSecure  (786896, ... ) == 0x1
 01071   384   NtUserQueryWindow  (786896, 0, ... ) == 0x6b8
 01065   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01072   376   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01073   376   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01074   376   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01075   376   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01076   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01077   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01078   384   NtUserQueryWindow  (786896, 1, ... ) == 0x6d4
 01079   384   NtUserValidateHandleSecure  (655820, ... ) == 0x1
 01080   384   NtUserQueryWindow  (655820, 0, ... ) == 0x6b8
 01081   384   NtUserQueryWindow  (655820, 1, ... ) == 0x6d4
 01082   384   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01083   384   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01077   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01084   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 01085   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\232\211\33\256\271q9\312\7\222\232\17J\221Z\371\213\371dTB\224\322\5\11\303<\366\22\354\232\346\2226\12+z\353\325x\203\327\276z\307\17.\242\203\367\34O\322\3\363\241KK\22\30\3508\211#l\273\241A\224\33\203\10h\336\235m\273\27\264", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\232\211\33\256\271q9\312\7\222\232\17J\221Z\371\213\371dTB\224\322\5\11\303<\366\22\354\232\346\2226\12+z\353\325x\203\327\276z\307\17.\242\203\367\34O\322\3\363\241KK\22\30\3508\211#l\273\241A\224\33\203\10h\336\235m\273\27\264", 80, ... ) , 80, ... ) == 0x0
 01086   376   NtClose  (-2147482576, ... ) == 0x0
 01064   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\267\6~-',\21\304\16\353\256\27p\356\353\320\343F\341\375\330\273hcJ\243=\266\250H'\351U\201\243\4\337\242. \205\315\260\312z\2p\325h\245\327k\245\206\341\12_H\302Ih\344\312\3\362(\30\200\241\213j\212e4\254\205\372\360[\241\246m\233\246\21\$\336\314&\364\256\301~X\304T\225_Me\241@\10VP\237|\216g\326\2\30\361\244\364\277I\21\357}\266fwrS_\312\3023\361la)_\231\303u\213\217z\362En\275\316\246\35\265\336\356\230\217\267\30n\321\14\260.>\355\236\353\206\3121\22\14/\346\321\240w+Gx\376\370\3259\254A\244G>g\356\341\361[\331\350"\244].\14z\344PK\225\200\331\1J\333\340x\233\360u:\4\363$_cR6\227\25C8$\226\260y\2707XG<5\330\360\235\243k\321*G\4\7\243\334\300\312\317@\362\325\207\241", ) \244].\14z\344PK\225\200\331\1J\333\340x\233\360u:\4\363$_cR6\227\25C8$\226\260y\2707XG<5\330\360\235\243k\321*G\4\7\243\334\300\312\317@\362\325\207\241", ) == 0x0
 01087   376   NtDeviceIoControlFile  (80, 0, 0x0, 0x0, 0x390008,  (80, 0, 0x0, 0x0, 0x390008, "\335\346W*\217\342\312'!\16Z\355f\312\224\324\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\14\33\12\230\346\374\236\148\277J\15\236\177\357\37C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01088   376   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01089   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01090   384   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01091   384   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01092   384   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01093   384   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01094   384   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01095   384   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01089   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01096   376   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01097   376   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01098   376   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01099   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01100   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01101   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01102   384   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01103   384   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01104   384   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01105   384   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01106   384   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01107   384   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01101   376   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01108   376   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\3570\205\246\6\252\276Is\252\274iWb\3^\357(qb\320\317b\372\357\352\373\336Z\\2529\357\246\360\275\306\24x\\375\254\206\273\361 \35\220\337\225U\217\227\210j\236\225\213\345\313\254J\334)\301f\367yt7k\202gt\27\10\12\263gl", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\3570\205\246\6\252\276Is\252\274iWb\3^\357(qb\320\317b\372\357\352\373\336Z\\2529\357\246\360\275\306\24x\\375\254\206\273\361 \35\220\337\225U\217\227\210j\236\225\213\345\313\254J\334)\301f\367yt7k\202gt\27\10\12\263gl", 80, ... ) , 80, ... ) == 0x0
 01109   376   NtClose  (-2147482576, ... ) == 0x0
 01087   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "t$\223\313\16$\357\27\340\16O\367\270\351\322\357|\230W\23\270\273Cx\376\25\376\360\320\252:n\246O\330*o0u\324v`\263\316s\23i\263\325\237\334I\237\376 \216\352\366C\221\370\2662\347"\261F\14\327\244\353K\264\7@\324\32\26\203i\227\3151r\366\347\307\263\365C\264\275?\6\277/\3221\335\345&\253\344\3\345B\342\205\23\366\306.\1\225Z0lI\34\217&\364\205\252\226\264]{9\310mlO%\306;\260\376\11]\307\270\332\306`\224H\310\251\217\212\342v\275f\265\321\34~d\322\265\372(s\234\11\213A:\207Ew\271Qi\360)<\372\231\210\13e\256H\317L1\30W9e\362C\236\334#l\220\254.\314\275\236q\357\347\0\366\312\226\3010\272e\24\213\317@$\374d:\310\321\321p~gH'\24\366\371\205\314\211gi\17R\}\233z0\3759\334\271v\275\14h\235", ) \261F\14\327\244\353K\264\7@\324\32\26\203i\227\3151r\366\347\307\263\365C\264\275?\6\277/\3221\335\345&\253\344\3\345B\342\205\23\366\306.\1\225Z0lI\34\217&\364\205\252\226\264]{9\310mlO%\306;\260\376\11]\307\270\332\306`\224H\310\251\217\212\342v\275f\265\321\34~d\322\265\372(s\234\11\213A:\207Ew\271Qi\360)<\372\231\210\13e\256H\317L1\30W9e\362C\236\334#l\220\254.\314\275\236q\357\347\0\366\312\226\3010\272e\24\213\317@$\374d:\310\321\321p~gH'\24\366\371\205\314\211gi\17R\}\233z0\3759\334\271v\275\14h\235", ) == 0x0
 01110   376   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 01111   376   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1243404, 188, ... 96, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1243404, 188, ... 96, 0x0, 0x0, 0x0, 188, ) == 0x0
 01112   376   NtRequestWaitReplyPort  (96, {200, 224, new_msg, 0, 1333512, 12, 2, 1310977}  (96, {200, 224, new_msg, 0, 1333512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0Xk\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0b\22\372J\257e_\206Pk\24\0h\1\24\0\12\0\0\0\0\0\0\0Pk\24\0(\0\0\0Xk\24\0'\261\247\366x\1\24\0(\0\0\0"\342\0\0\0\0\24\0h\367\22\0!-)\331\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\214\367\22\0\372\31\221| \377\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \342\0\0\0\0\24\0h\367\22\0!-)\331\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\214\367\22\0\372\31\221| \377\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 01113   384   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01114   384   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01115   384   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01116   384   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01117   384   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01118   384   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01112   376   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 376, 75538, 0}  ... {200, 224, reply, 0, 1736, 376, 75538, 0} "\7\0\0\0\274\0\0\0x\1\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0Xk\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0b\22\372J\257e_\206Pk\24\0h\1\24\0\12\0\0\0\0\0\0\0Pk\24\0(\0\0\0Xk\24\0'\261\247\366x\1\24\0(\0\0\0"\342\0\0\0\0\24\0h\367\22\0!-)\331\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\214\367\22\0\372\31\221| \377\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \342\0\0\0\0\24\0h\367\22\0!-)\331\0\0\0\0\240N\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\214\367\22\0\372\31\221| \377\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 01119   376   NtRequestWaitReplyPort  (96, {48, 72, new_msg, 0, 1736, 1744, 75491, 0}  (96, {48, 72, new_msg, 0, 1736, 1744, 75491, 0} "\1\0\0\0A\2\33\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75539, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1736, 376, 75539, 0}  (96, {48, 72, new_msg, 0, 1736, 1744, 75491, 0} "\1\0\0\0A\2\33\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75539, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01120   376   NtCreateFile  (0x80100080, {24, 16, 0x40, 0, 1244944, "q}, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_INVALID
 01121   376   NtRequestWaitReplyPort  (96, {100, 124, new_msg, 0, 1736, 376, 75539, 0}  (96, {100, 124, new_msg, 0, 1736, 376, 75539, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\11\0\0\0\0\0\0\0\11\0\0\0\364L\23\312Bz9\25\0\0\0\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75540, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ... {96, 120, reply, 0, 1736, 376, 75540, 0}  (96, {100, 124, new_msg, 0, 1736, 376, 75539, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\11\0\0\0\0\0\0\0\11\0\0\0\364L\23\312Bz9\25\0\0\0\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75540, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ) == 0x0
 01122   376   NtCreateFile  (0x80100080, {24, 16, 0x40, 0, 1244944, "q}, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_INVALID
 01123   384   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01124   384   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01125   384   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01126   384   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01127   384   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01128   384   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01129   376   NtRequestWaitReplyPort  (96, {96, 120, new_msg, 0, 1736, 376, 75540, 0}  (96, {96, 120, new_msg, 0, 1736, 376, 75540, 0} "\1\314\0\0A\2\34\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\7\0\0\0\0\0\0\0\7\0\0\0d\224DT5\32\0\0\4\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75541, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1736, 376, 75541, 0}  (96, {96, 120, new_msg, 0, 1736, 376, 75540, 0} "\1\314\0\0A\2\34\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\7\0\0\0\0\0\0\0\7\0\0\0d\224DT5\32\0\0\4\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75541, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01130   376   NtCreateFile  (0x80100080, {24, 16, 0x40, 0, 1244944, "q}, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_INVALID
 01131   376   NtRequestWaitReplyPort  (96, {96, 120, new_msg, 0, 1736, 376, 75541, 0}  (96, {96, 120, new_msg, 0, 1736, 376, 75541, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\10\0\0\0\0\0\0\0\10\0\0\0d\224DT5\32\14\0\4\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75542, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1736, 376, 75542, 0}  (96, {96, 120, new_msg, 0, 1736, 376, 75541, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\10\0\0\0\0\0\0\0\10\0\0\0d\224DT5\32\14\0\4\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75542, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01132   376   NtCreateFile  (0x80100080, {24, 16, 0x40, 0, 1244944, "q}, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   376   NtRequestWaitReplyPort  (96, {100, 124, new_msg, 0, 1736, 376, 75542, 0}  (96, {100, 124, new_msg, 0, 1736, 376, 75542, 0} "\1+\0\0A\2\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k\14\0\0\0\0\0\0\0\14\0\0\0T\302\242\244EjT\220)\210\242\0\4\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0" ...  ...
 01134   384   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01135   384   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01136   384   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01133   376   NtRequestWaitReplyPort  ... {96, 120, reply, 0, 1736, 376, 75543, 0}  ... {96, 120, reply, 0, 1736, 376, 75543, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0\0\0\0\0\24\0\0\0" )  ) == 0x0
 01137   376   NtRequestWaitReplyPort  (96, {88, 112, new_msg, 0, 1736, 376, 75543, 0}  (96, {88, 112, new_msg, 0, 1736, 376, 75543, 0} "\1\314\0\0A\2\0\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75544, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1736, 376, 75544, 0}  (96, {88, 112, new_msg, 0, 1736, 376, 75543, 0} "\1\314\0\0A\2\0\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\0\0\0\0\265\22\275h\33\327\262O\270\2\260 0\232\275k$\4\0\0\0\0\0\0\0\0\0\0\2746\13\0\1\0\0\0\0\0\0\0\1\0\0\0\0\00\0\24\0\0\0" ... {96, 120, reply, 0, 1736, 376, 75544, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01138   376   NtClose  (84, ... ) == 0x0
 01139   376   NtClose  (96, ... ) == 0x0
 01140   376   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 01141   376   NtClose  (32, ... ) == 0x0
 01142   384   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01143   384   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01144   384   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01145   384   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01146   384   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01147   384   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01148   376   NtClose  (72, ... ) == 0x0
 01149   376   NtTerminateThread  (0, 0, ...
 01150   376   NtFreeVirtualMemory  (-1, (0x30000), 0, 32768, ... (0x30000), 1048576, ) == 0x0
 01151   384   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01152   384   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01153   384   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01154   384   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01155   384   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01156   384   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01157   384   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01158   384   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01159   384   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01160   384   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01161   384   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01162   384   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01163   384   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01164   384   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01165   384   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01166   384   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01167   384   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01168   384   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01169   384   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01170   384   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01171   384   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01172   384   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01173   384   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01174   384   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01175   384   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01176   384   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01177   384   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01178   384   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01179   384   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01180   384   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01181   384   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01182   384   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01183   384   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01184   384   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01185   384   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01186   384   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01187   384   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01188   384   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01189   384   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01190   384   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01191   384   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01192   384   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01193   384   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01194   384   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01195   384   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01196   384   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01197   384   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01198   384   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01199   384   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01200   384   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01201   384   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01202   384   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01203   384   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01204   384   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01205   384   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01206   384   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01207   384   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01208   384   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01209   384   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01210   384   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01211   384   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01212   384   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01213   384   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01214   384   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01215   384   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 01216   384   NtTerminateProcess  (0, 0, ... ) == 0x0
 01217   384   NtClose  (80, ... ) == 0x0
 01218   384   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 01219   384   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 80, ) }, ... 80, ) == 0x0
 01220   384   NtQueryValueKey  (80,  (80, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   384   NtClose  (80, ... ) == 0x0
 01222   384   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01223   384   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01224   384   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01225   384   NtRequestWaitReplyPort  (28, {20, 48, new_msg, 0, 0, -142464044, -2141869888, -2141960607}  (28, {20, 48, new_msg, 0, 0, -142464044, -2141869888, -2141960607} "\0\0\0\0\3\0\1\0R\250S\200\304+\202\367\0\0\0\0" ... {20, 48, reply, 0, 1736, 384, 75547, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\304+\202\367\0\0\0\0" )  ... {20, 48, reply, 0, 1736, 384, 75547, 0}  (28, {20, 48, new_msg, 0, 0, -142464044, -2141869888, -2141960607} "\0\0\0\0\3\0\1\0R\250S\200\304+\202\367\0\0\0\0" ... {20, 48, reply, 0, 1736, 384, 75547, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\304+\202\367\0\0\0\0" )  ) == 0x0
 01226   384   NtTerminateProcess  (-1, 0, ...
NtCreateMutant(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetStockObject(>)	5	NtFlushInstructionCache(>)	18
NtFsControlFile(>)	1	NtOpenEvent(>)	2	NtQueryInformationToken(>)	5	NtRegisterThreadTerminatePort(>)	19
NtGdiCreateBitmap(>)	1	NtOpenProcessToken(>)	2	NtDuplicateObject(>)	6	NtTestAlert(>)	19
NtGdiInit(>)	1	NtOpenProcessTokenEx(>)	2	NtOpenFile(>)	6	NtResumeThread(>)	20
NtGdiQueryFontAssocInfo(>)	1	NtOpenThreadTokenEx(>)	2	NtQueryAttributesFile(>)	6	NtFreeVirtualMemory(>)	24
NtGdiSelectBitmap(>)	1	NtQueryDefaultLocale(>)	2	NtQueryVirtualMemory(>)	7	NtContinue(>)	26
NtOpenKeyedEvent(>)	1	NtQuerySection(>)	2	NtQueryInformationProcess(>)	8	NtSetEvent(>)	27
NtOpenMutant(>)	1	NtRaiseException(>)	2	NtUserFindExistingCursorIcon(>)	9	NtOpenKey(>)	29
NtOpenSymbolicLinkObject(>)	1	NtSetInformationObject(>)	2	NtCreateFile(>)	10	NtSetInformationThread(>)	29
NtQueryObject(>)	1	NtTerminateProcess(>)	2	NtSetValueKey(>)	10	NtCreateEvent(>)	31
NtQuerySymbolicLinkObject(>)	1	NtUnmapViewOfSection(>)	2	NtCreateKey(>)	11	NtWaitForSingleObject(>)	36
NtQuerySystemTime(>)	1	NtCallbackReturn(>)	3	NtOpenProcess(>)	11	NtReadVirtualMemory(>)	37
NtSecureConnectPort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryValueKey(>)	13	NtQueryInformationThread(>)	40
NtSetInformationProcess(>)	1	NtReleaseMutant(>)	3	NtUserRegisterClassExWOW(>)	14	NtProtectVirtualMemory(>)	61
NtSetSecurityObject(>)	1	NtUserBuildHwndList(>)	3	NtMapViewOfSection(>)	15	NtRequestWaitReplyPort(>)	61
NtUserCallNoParam(>)	1	NtUserCallOneParam(>)	3	NtTerminateThread(>)	15	NtAllocateVirtualMemory(>)	63
NtUserGetThreadDesktop(>)	1	NtUserGetThreadState(>)	3	NtDeviceIoControlFile(>)	16	NtQuerySystemInformation(>)	91
NtWaitForMultipleObjects(>)	1	NtCreateSection(>)	4	NtOpenSection(>)	16	NtClose(>)	122
NtConnectPort(>)	2	NtQueryVolumeInformationFile(>)	4	NtWriteFile(>)	16	NtUserValidateHandleSecure(>)	137
NtGdiCreateSolidBrush(>)	2	NtUserFindWindowEx(>)	4	NtCreateThread(>)	18	NtUserQueryWindow(>)	268